#2 – IAM Basics

By /

AWS Identity and Access Management (IAM) is a global AWS service used to manage access to AWS resources. When an AWS account is first created, a root account is created automatically. The root user has full access to the account. However, it is best practice not to use the root user for everyday tasks. Instead, you should create IAM users with the appropriate permissions.

IAM Users and Groups

In IAM you can create users and organise them into groups.

Groups contain users, and a user can belong to multiple groups.

Permissions are usually assigned to groups so that all users in the group inherit those permissions.

IAM Permissions

Permissions in IAM are defined using policies.

A policy is a JSON document that describes what actions a user or service is allowed to perform.

When creating a user, you can:

  • Assign the user to a group that already has policies defined
  • Attach an inline policy that applies specifically to that user

A user can therefore:

  • Have an inline policy
  • Belong to a group with permissions
  • Assume a role

If full administrative access is required, it is recommended to create an IAM user with an Administrator policy and use that instead of logging in with the root user.

Types of IAM Policies

Identity-Based Policies

Identity-based policies are attached to an identity, such as:

  • User
  • Group
  • Role

These policies define what actions that identity can perform on AWS resources.

IAM Roles

A role is an identity that can be assumed by:

  • AWS services
  • IAM users
  • Applications

For a user or service to assume a role:

  1. The role must define a trust relationship allowing the principal to perform the sts:AssumeRole action.
  2. The user or service must also have a policy that allows the sts:AssumeRole action.

This allows temporary access to AWS resources without sharing long-term credentials.

Resource-Based Policies

Resource-based policies are attached directly to an AWS resource.

They include a Principal element that specifies which identity is allowed to access the resource.

Example: An S3 bucket policy that defines who can access the bucket.

If a user does not have an identity-based policy allowing an action but is listed as a principal in a resource-based policy, the user can still perform that action on the resource.

Structure of an IAM Policy

IAM policies follow a JSON structure.

Important elements include:

Version: always "2012-10-17"
Id: optional
Statement:
    Sid: optional
    Resource: list of resources the effect applies to
    Effect: Allow or Deny
    Action: list of actions allowed or denied
    Principal: account/user/role the policy applies to

Password Policies

A password policy allows you to define minimum password requirements for users in your AWS account.

This can include requirements such as:

  • Minimum password length
  • Use of numbers and symbols
  • Password expiration

Multi-Factor Authentication (MFA)

MFA provides an extra layer of security by requiring users to authenticate using:

  • Something they know (password)
  • Something they have (device)

This helps protect AWS accounts from unauthorized access.

MFA Device Options in AWS

AWS supports several MFA device types:

Virtual MFA devices

  • Google Authenticator (single device)
  • Authy (multiple devices)

Security key

  • Universal 2nd Factor (U2F) security key
  • Example: YubiKey

Hardware MFA devices

  • Hardware key fob provided by Gemalto
  • Hardware MFA device for AWS GovCloud provided by

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top