Configuring AWS Identity and Access Management (IAM)

Configuring AWS Identity and Access Management (IAM)

IAM

AWS IAM is a service that allows you to control who can access your AWS resources and what actions they can perform. It helps manage users, groups, and permissions, ensuring that only authorized individuals and services have access to your resources.

Components of IAM :

  1. Users: IAM users are entities with long-term credentials (username and password or access keys) used to interact with AWS. Each user has specific permissions assigned to them.

  2. Groups: IAM groups are collections of users. They simplify access management by allowing you to set permissions for multiple users simultaneously.

  3. Roles: IAM roles are similar to users, but they are meant for entities that don't represent individuals (e.g., applications, services). Roles have temporary credentials and are used to delegate access across AWS accounts or services securely.

  4. Policies: IAM policies are JSON documents that define permissions. They specify what actions are allowed or denied on which AWS resources. Policies can be attached to users, groups, or roles to control access effectively.

In this article i will explain three scenario's

  • Scenario 1 - User to Service

  • Scenario 2 - Service to Service

  • Scenario 3 - User - Service to Service

Sign in to the AWS Management Console:

Navigate to IAM:

  • In the AWS Management Console, find and select "IAM" under "Security, Identity & Compliance."

Scenario 1 :

User to Service : Create IAM users and grant specific permissions (eg, AmazonEC2FullAccess)

Group Creation :

Create a New Group:

  • Click on "User groups" in the left-side & Click on the "Create group" button to start creating a new IAM group

Set Group Details:

  • Enter a name for the group. Choose a descriptive name that reflects the purpose or role of the group (e.g., ec2Admin, s3admin).

Attach Policies :

Attach policies directly: Choose one or more policies to attach to the group. These policies define the permissions that the members of the group will inherit.

Create group :

  • Click "Create user group" to finalize and create the IAM group.

Now, Successfully group created.

User Creation :

Adding a new IAM Users to the IAM Group:

  • Click on "Users" & Click on the "Create user"

  • Enter the username for the new IAM user. This is the name the user will use to sign in to AWS services.

Select Auto generated password or Custom password, Click next

Set Permissions:

  • Add user to group(s): Assign the user to IAM groups.

Click on "Create user"

Now we can see console password & .csv file

Download .csv file & Open it

Now successfully added users to the IAM Group

Use this console sign-in URL, Enter IAM User name and Password

Dinesh user need to change password

Now, Dinesh user can access EC2 service only.

Now, Dinesh user need to view S3 bucket list only, that user don't have permission to view bucket list

In this time, Need to add policy for S3 bucket list view to Dinesh user.

Note : AWS has lot of default policies, If you want, you can use default policy

Now, need to access to S3 bucket list view only, So need to create new policy ( Customization)

Policy creation:

In the left-side menu, click on "Policies". Click on the "Create policy"

Click (Choose a service)

Select service "S3"

Click Access level " ListAllMyBuckets " & Select Read permission

Enter Policy name "S3viewBucket"

Click " Create Policy "

Now, Successfully "S3viewBucket" Policy created

Need to assign this policy to Dinesh User.

Go to Users, Select "dinesh" user

Click add Permissions

Click "Attach policy directly, then search "S3viewBuket" and Select

Then, Click Next

Click Add Permissions

Now, Successfully policy added

Now, Dinesh User can access S3 Bucket List

Login AWS consloe through IAM user

Now, Dinesh user can access Bucket List

Scenario 2 : Service to Service

AWS services need to interact with each other to perform tasks, such as an EC2 instance needing to access an S3 bucket or any other services.

Role Creation :

Click on "Roles" in the left-side & Click Create role

Choose the service that will use this role "EC2". For example, if you're creating a role for an EC2 instance to access S3 bucket list view, select "EC2".

Add permission for S3viewBucket & Click Next

Enter Role name

Click Create role

Now, "EC2-S3" Role successfully created

Now, I will create two EC2 instances. One is with the IAM role. Another one is without the IAM role. Because I will show you. How work IAM roles.

1st instance : EC2 with IAM role

2nd Instance : EC2 Without IAM role

Now, I have successfully launched two EC2 instances

Now, I open the IAM role instance through Putty.

aws s3 ls

Now, We can see bucket list "dinesh-credentials" (Role attached instance)

Now, I open the instance (without the IAM role) through Putty.

aws s3 ls

Unable to locate credentials, In this time need to use scenarios three.

Scenario 3 :

User - Service to Service

Dinesh users already have permission for the S3 bucket list view option, so we need to configure Dinesh user credentials in this instance. After that, we can see the S3 bucket list.

Need to enter "AWS configure" command in terminal

aws configure

After that, it will ask for :

AWS Access ID

AWS Secret Access Key

Default region name

Default output format

Need to enter all details,

Now, we can see the S3 bucket list.

aws s3 ls

Conclusion :

AWS IAM is essential for securing your AWS resources by controlling who can access them and how they can interact. Following IAM best practices strengthens security and ensures compliance with industry standards. Embracing IAM is crucial for establishing a robust and dependable cloud infrastructure.