Identity and Access Management (IAM)

• IAM is a Core AWS service that helps you control access to Resource
• The Resources are the entities you create in AWS. Ex: S3 Bucket or Object, DynamoDB, Lambda, EC2, etc.
• The Users & Roles attempt to perform Actions on resources, Ex: S3::CreateBucket, S3::ListBucket, etc.
• The User and Role authorization to perform an Action depends on a Policy

Example:
Suppose Jon is a new IAM user with no permission and he wants to create an S3 bucket. If he tries to createBucket by using an API or from the console. He will get Access Denied. By default, everything is Deny. You need to attach a policy to Jon to allow this action.

This is an example of a Policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowStatement1",
      "Effect": "Allow",
      "Action": [
        "s3:createBucket"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket"
      ]
    },
    {
      "Sid": "AllowStatement2",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

Go to the IAM console. Then from Policies click create Policy button:

• Version: Version of the policy document.

• Statement: Statement is an array. We can add multiple different statement on a single policy document. Every permission has been writen inside this Statement block.

  • Sid: Just a name of your policy statement.
  • Effect: Could be Allow/Deny. If we want to allow something then we need to Allow. If we want to explicit Deny something we need to Deny. By default everyting is Deny.
  • Action: This is the place where we need to put our permissions. We can add multiple permissions and also we can add regular expression. Here we give S3 create bucket permission.
  • Resource: Resource is for reduce scope of the action. * means everyting. Here we give him access to create a specific bucket. The bucket name should be example-bucket. Otherwise he will get access denied.

Effects of AllowStatement1: AllowStatement1 will allow the user to create the bucket. Bucket name should be 'example-bucket'.

Effects of AllowStatement2: AllowStatement2 will allow the user all action to that specific bucket. That means Jon can do whatever he wants into that bucket.

How IAM policy Works

• By default decision starts with Deny.

• Then it evaluate all applicable policies. (Only policies that match the action and conditions are evaluated.)

• Then it is looking for an explicit Deny. If there is an explicit Deny for this action then the final decision is Deny.

• If there is no explicit Deny then it will looking for an explicit allow. If it find any explicit allow then the final decision is Allow.

• If there is no explicit allow for the action then the final decision is Deny.

Example of grant a user to a specific folder in the bucket

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowStatement1",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::*"
      ]
    },
    {
      "Sid": "AllowStatement2",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::example-bucket"
      ],
      "Condition": {
        "StringEquals": {
          "s3:prefix": [
            "",
            "example-folder"
          ]
        }
      }
    },
    {
      "Sid": "AllowStatement3",
      "Action": [
        "s3:ListBucket"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:s3:::example-bucket"
      ],
      "Condition": {
        "StringLike": {
          "s3:prefix": [
            "example-folder/*"
          ]
        }
      }
    },
    {
      "Sid": "AllowStatement4",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket/example-folder/*"
      ]
    },
    {
      "Sid": "AllowStatement5",
      "Effect": "Deny",
      "Action": [
        "s3:Delete*"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket/example-folder/*"
      ]
    }
  ]
}

• AllowStatement1 allows the user to list the buckets that belong to their AWS account. The user needs this permission to be able to navigate to the bucket using the console.

• AllowStatement2 allows the user to list the folders within example-bucket, which the user needs to be able to navigate to the folder using the console. The statement also allows the user to search on the prefix example-folder/ using the console.

• AllowStatement3 allows the user to list the contents within example-bucket/example-folder.

• AllowStatement4 allows the user to download objects (s3:GetObject) from the folder Dexample-bucket/example-folder.

• AllowStatement5 deny user to all action which is start with Devele from the folder Dexample-bucket/example-folder. That means he can't delete anything indite that folder.

Other Important Concepts

Groups: Allow the admin or Owner to grouping thier policy or permissions for the users. one Group can be attached with multiple users and also One User can be in multiple groups. User will get the access which is define inside this attached group(s).

To create Group go to the IAM console. From the User groups tab click 'Create group`

You can select as many policies as you need for this group, You can add users to the group from here or you can add them from the Users tab later. Search the policy to filter

Users: A person who will use this AWS account.

To create user go to the IAM console. From the Users tab click 'Add users`

You can give only Programmatic access or AWS console access or both: select as per your requirements:

You can add user to group or Copy permissions from existing user or Attach existing policies directly:

Roles: Roles are similar to the user which has a certain policy document attached. Roles are used for limited access privilege or temporary access for the user or services.

- Role could be used by a user by AssumeRole & 'Trust relationships'.
- Role can be used by a Resource.

To create role go to the IAM console. From the Roles tab click 'Create role`. It will asking for a policy select as many policies as you want for this role and create the role.

Trust Relationships: This can happen within Two AWS accounts, within two roles, within role and user.

Example of within two separate AWS accounts:
Suppose we have 2 AWS accounts:
Account_1
Account_2

Both accounts need to allow a Trust Relationship between them:

• Account_1 should have a role in the trust relationship with Account_2's user or role.

• Account_2 should give that user or role to sts:AssumeRole in the Account_1 role.

Note: trust relationship could have been one user or role or a group or all users & roles.

Summary

In this post, I showed “What is IAM and how does it works. IAM core features.”. Try to understand the IAM very clearly. It will give you a better experience with cloud computing.

To learn more, read the AWS IAM documentation.

Thanks for reading! Happy Cloud Computing!

Connect with me: Linkedin