In the world of cloud computing, Amazon Web Services (AWS) stands out as a dominant force, offering a vast array of services to cater to various business needs. One such service, crucial to maintaining the security and order of all the other services, is AWS Identity and Access Management (IAM). In this blog, we’ll dive into the essentials of AWS IAM, its components, and best practices.
What is AWS IAM?
AWS Identity and Access Management (IAM) is a free web service provided by Amazon that allows administrators to manage users, groups, roles, and their associated permissions in AWS. IAM's primary goal is to ensure that you have granular control over who can access your AWS resources and what actions they can perform.
Core Components of AWS IAM:
Users: These are the individuals, applications, or services that interact with AWS resources. An IAM user has unique credentials that can be used to authenticate and access AWS resources.
Groups: A way to combine multiple users, simplifying permission assignments. For instance, you can have a 'DevOps' group and assign permissions relevant to your DevOps team.
Roles: Unlike users, roles don't have a predefined set of credentials. Instead, entities assume a role for temporary access to resources. This is particularly useful for AWS services to communicate with each other or for granting temporary access.
Policies: A document that defines permissions. It dictates what actions, on which resources, and under what conditions the user, group, or role can perform. Policies are attached to the above entities to grant permissions.
What's the Difference Between Roles and Policies in AWS?
The difference between IAM roles and policies in AWS is that a role is a type of IAM identity that can be authenticated and authorized to utilize an AWS resource, whereas a policy defines the permissions of the IAM identity.
Best Practices in AWS IAM:
Least Privilege Principle: Always grant only the permissions required to perform a task. Start with a minimum set of permissions and grant additional permissions as necessary.
Regularly Audit IAM Settings: Periodically review and revise IAM roles, permissions, and other settings to ensure they comply with your organization’s needs.
Enable Multi-Factor Authentication (MFA): Add an extra layer of security by enabling MFA for your AWS users.
Avoid Using Root Account: Instead of using your AWS account root user for everyday tasks, create individual IAM users for better auditability and control.
Rotate Credentials: Regularly change IAM access keys and credentials to reduce the risk associated with keys being compromised.
Use IAM Roles for Amazon EC2: Instead of using static AWS access keys, use IAM roles to delegate permissions to applications running on EC2 instances.
Benefits of AWS IAM:
Centralized Control: IAM gives you a centralized way to manage users, roles, and permissions.
Fine-grained Permissions: You can grant unique permissions for every AWS resource.
Improved Security: With MFA and granular policies, you can enhance the security of AWS resource access.
Flexibility: IAM allows you to grant permissions temporarily, useful for scenarios like cross-account access or establishing trust relationships across AWS accounts.
Integration with Many AWS Services: IAM is integrated with various AWS services, enabling you to set permissions for a wide range of AWS resources.
Task1:
Create an IAM user with username of your own wish and grant EC2 Access. Launch your Linux instance through the IAM user that you created now and install jenkins and docker on your machine via a single Shell Script.
Login to your AWS Console and Search IAM in your Services. Here is an interesting thing to notice, if you see the region is N.Verginia here. In the next window, it will be different.
If you zoom a little on the right corner. The region is Global , AWS Identity and Access Management (IAM) and AWS Security Token Service (AWS STS) are self-sustaining, Region-based services that are available globally. IAM is a critical AWS service. Every operation performed in AWS must be authenticated and authorized by IAM.
Click on Users
Click on Create User
Now, Give User name, Select I want to create an IAM User, Give Custom Password, check on User must create new password on next sign in, Click on Next
Here We are adding Following Permissions to user 1- AmazonEC2FullAccess - To Launch EC2 Instance 2- EC2InstanceConnect - To Connect to EC2 Instance
Review and Create
Your User Created Successfully! See The Sign in info to connect.
You can see some more property details of your user
Login to user
Update your password to continue
After Login see on the right corner of your window, it is showing your username
Now Let's Lauch an EC2 Insatnce, OS Image- Ubuntu, t2micro and other all defaults and Launch
Instance Launched Successfully.
Once status changes to Running, Connect it
Keep user default as Ubuntu and Click on Connect
Now we will be installing Jenkins and Docker using shell script. create a file called InstallJenkinsDocker.sh and write below in it
#!/bin/bash
sudo apt update -y
sudo apt install openjdk-8-jdk
curl -fsSL https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key | sudo tee \
/usr/share/keyrings/jenkins-keyring.asc > /dev/null
echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \
https://pkg.jenkins.io/debian-stable binary/ | sudo tee \
/etc/apt/sources.list.d/jenkins.list > /dev/null
sudo apt update -y
sudo apt install jenkins -y
sudo systemctl start jenkins
sudo apt update -y
sudo apt install docker.io -y
sudo systemctl start docker
Make file InstallJenkinsDocker.sh executable and run above shell script
chmod +x InstallJenkinsDocker.sh
bash InstallJenkinsDocker.sh
You can check the status of Jenkins as follow:
sudo systemctl status jenkins
Status of Docker:
sudo systemctl status docker
Done! 💃
Task2:
In this task you need to prepare a devops team of avengers. Create 3 IAM users of avengers and assign them in devops groups with IAM policy - S3 Full access
Create 3 Users on following the steps mentioned in Task1.
Create a Group- DevOps_Avengers
Click on User groups and Create Group
Give Group Name and select users which are part of this group
Scroll Down and select permission policy and Create group
Now your group got created, Click on your group to verify the details : See users and Permission
Group Created!
Conclusion:
As businesses increasingly migrate to the cloud, the importance of effective and secure access management can't be overemphasized. AWS IAM provides a robust and flexible framework for managing access to AWS resources. By understanding and implementing best practices, businesses can ensure both security and efficiency in their cloud operations.