IAM
AWS IAM is a service that allows you to control who can access your AWS resources and what actions they can perform. It helps manage users, groups, and permissions, ensuring that only authorized individuals and services have access to your resources.
Components of IAM :
Users: IAM users are entities with long-term credentials (username and password or access keys) used to interact with AWS. Each user has specific permissions assigned to them.
Groups: IAM groups are collections of users. They simplify access management by allowing you to set permissions for multiple users simultaneously.
Roles: IAM roles are similar to users, but they are meant for entities that don't represent individuals (e.g., applications, services). Roles have temporary credentials and are used to delegate access across AWS accounts or services securely.
Policies: IAM policies are JSON documents that define permissions. They specify what actions are allowed or denied on which AWS resources. Policies can be attached to users, groups, or roles to control access effectively.
In this article i will explain three scenario's
Scenario 1 - User to Service
Scenario 2 - Service to Service
Scenario 3 - User - Service to Service
Sign in to the AWS Management Console:
- Go to the AWS Management Console at https://aws.amazon.com/console/.
Navigate to IAM:
- In the AWS Management Console, find and select "IAM" under "Security, Identity & Compliance."
Scenario 1 :
User to Service : Create IAM users and grant specific permissions (eg, AmazonEC2FullAccess)
Group Creation :
Create a New Group:
- Click on "User groups" in the left-side & Click on the "Create group" button to start creating a new IAM group
Set Group Details:
- Enter a name for the group. Choose a descriptive name that reflects the purpose or role of the group (e.g., ec2Admin, s3admin).
Attach Policies :
Attach policies directly: Choose one or more policies to attach to the group. These policies define the permissions that the members of the group will inherit.
Create group :
- Click "Create user group" to finalize and create the IAM group.
Now, Successfully group created.
User Creation :
Adding a new IAM Users to the IAM Group:
- Click on "Users" & Click on the "Create user"
- Enter the username for the new IAM user. This is the name the user will use to sign in to AWS services.
Select Auto generated password or Custom password, Click next
Set Permissions:
- Add user to group(s): Assign the user to IAM groups.
Click on "Create user"
Now we can see console password & .csv file
Download .csv file & Open it
Now successfully added users to the IAM Group
Use this console sign-in URL, Enter IAM User name and Password
Dinesh user need to change password
Now, Dinesh user can access EC2 service only.
Now, Dinesh user need to view S3 bucket list only, that user don't have permission to view bucket list
In this time, Need to add policy for S3 bucket list view to Dinesh user.
Note : AWS has lot of default policies, If you want, you can use default policy
Now, need to access to S3 bucket list view only, So need to create new policy ( Customization)
Policy creation:
In the left-side menu, click on "Policies". Click on the "Create policy"
Click (Choose a service)
Select service "S3"
Click Access level " ListAllMyBuckets " & Select Read permission
Enter Policy name "S3viewBucket"
Click " Create Policy "
Now, Successfully "S3viewBucket" Policy created
Need to assign this policy to Dinesh User.
Go to Users, Select "dinesh" user
Click add Permissions
Click "Attach policy directly, then search "S3viewBuket" and Select
Then, Click Next
Click Add Permissions
Now, Successfully policy added
Now, Dinesh User can access S3 Bucket List
Login AWS consloe through IAM user
Now, Dinesh user can access Bucket List
Scenario 2 : Service to Service
AWS services need to interact with each other to perform tasks, such as an EC2 instance needing to access an S3 bucket or any other services.
Role Creation :
Click on "Roles" in the left-side & Click Create role
Choose the service that will use this role "EC2". For example, if you're creating a role for an EC2 instance to access S3 bucket list view, select "EC2".
Add permission for S3viewBucket & Click Next
Enter Role name
Click Create role
Now, "EC2-S3" Role successfully created
Now, I will create two EC2 instances. One is with the IAM role. Another one is without the IAM role. Because I will show you. How work IAM roles.
1st instance : EC2 with IAM role
2nd Instance : EC2 Without IAM role
Now, I have successfully launched two EC2 instances
Now, I open the IAM role instance through Putty.
aws s3 ls
Now, We can see bucket list "dinesh-credentials" (Role attached instance)
Now, I open the instance (without the IAM role) through Putty.
aws s3 ls
Unable to locate credentials, In this time need to use scenarios three.
Scenario 3 :
User - Service to Service
Dinesh users already have permission for the S3 bucket list view option, so we need to configure Dinesh user credentials in this instance. After that, we can see the S3 bucket list.
Need to enter "AWS configure" command in terminal
aws configure
After that, it will ask for :
AWS Access ID
AWS Secret Access Key
Default region name
Default output format
Need to enter all details,
Now, we can see the S3 bucket list.
aws s3 ls
Conclusion :
AWS IAM is essential for securing your AWS resources by controlling who can access them and how they can interact. Following IAM best practices strengthens security and ensures compliance with industry standards. Embracing IAM is crucial for establishing a robust and dependable cloud infrastructure.