AWS Identity and Access Management or IAM is a web service that provides secured access control mechanisms for all AWS services. You can use IAM to create users and groups, assigning users specific permissions and policies, and a lot more. The best part of all this is that IAM is completely FREE. Yup! Not a penny is required to use it.
Let's quickly look at some interesting IAM features in order to understand it a bit better:
- Shared access to a single account: With the sign in process completed, you currently are the sole owner and user of your AWS account. But what if you wanted to give access to few other users from within your organization to this account? You cannot just provide them with your username and password, right? Neither will you go and create a separate account for each user, as it is too tedious and not good practice. However, with IAM, you can create and provide users with shared access to your single account with real ease. It is something we will be looking into shortly.
- Multi-factor authentication: IAM allows you to provide two-factor authentications to users for added security. This means that now, along with your password, you will also have to provide a secret key/pin from a special hardware device, such as a hard token, or even from software apps such as Google Authenticator.
- Integration with other AWS products: IAM integrates with almost all AWS products and services and can be used to provide granular access rights and permissions to each service as required.
- Identity federation: Do you have an on-premise active directory already that has users and groups created? Not a problem, as IAM can be integrated with an on-premise AD to provide access to your AWS account using a few simple steps.
- Global reach: Remember regions and availability zones from Chapter 1, Introducing Amazon Web Services? Well, IAM is one of the few AWS core services that spans globally. This means that users that are created using IAM can access and consume any AWS service from any geographic region! Neat, right?
- Access mechanisms: IAM can be accessed using a variety of different tools, the most common and frequently used being the AWS Management Console. Apart from this, IAM can also be accessed via the AWS CLI, via SDKs that support different platforms and programming languages such as Java, .NET, Python, Ruby, and so on, and programmatically via a secured HTTPS API as well.
Awesome! We have seen what IAM is along with its impressive features list, so now, let's put it to some good use! In Chapter 1, Introducing Amazon Web Services, we briefly discussed our use case scenario about hosting a website for an organization called All-About-Dogs. In this section, let's go ahead and define some users for this organization along with their potential roles:
In this example, Jason is the manager of All-About-Dogs, and he is responsible for overseeing the entire operations of the organization. Jason goes ahead and hires Dave and Chen who will act as leads for the development and testing departments, respectively. Dave and Chen can then have multiple developers and testers within their teams as they see fit, a typical and simple hierarchy that most of us are familiar with and can relate to.
AWS IAM can be accessed using the AWS Management Console as well as a host of other CLIs, tools, and SDKs. In this section, you are going to learn how to use the AWS Management Console to create users and assign those users to individual groups and policies:
- To begin with, sign in to the AWS Management Console using https://console.aws.amazon.com/.
- Now, there are a lot of different ways to access the AWS IAM service; the easiest is to locate the service under the Administration & Security section as shown in the following screenshot. Selecting the Identity & Access Management option will launch the IAM console.
Welcome to your first AWS core service! Take some time to visually inspect each of the elements of the IAM dashboard. The dashboard can be basically split up into two sections, the navigation pane to the left, which contains all the individual links that will help you create your users and groups, and the main dashboard to the right where you can view your IAM Resources and various other security statuses:
The first thing that you will notice here under the Security Status field is an option to Delete your root access keys. Now why would you want to do something like that even before you start creating users? And what are root access keys?
Well, to begin with, in Chapter 1, Introducing Amazon Web Services, you signed in to AWS using your e-mail ID and password, right? Well, that is the root account that you just created. The root account, as the name suggests, has root-level access to all AWS services, including your billing account. So, as a good practice, AWS highly recommends that you do not use the root account unless you absolutely need to, and more importantly, you do not create and root keys as well. Root keys simply consist of an access ID and a secret key that can be used to programmatically access any AWS service. Each user that you create gets its own set of keys, out of which, the secret key has to be protected and kept under lock and key at all costs.
Coming back to the IAM console, let's take a quick look at some of the tasks that you can perform using it. The first thing you will notice is a big, clunky-looking URL that consists of some long numbers. Well, this is the URL that your new IAM users will be using once they are created to log in to the AWS Management Console.
The URL basically links to a sign-in page that is created automatically when you sign into the IAM service. But let's face it, it's not a simple URL and anyone would have a tough time remembering it as well. You can choose to customize the URL by providing an alias to it.
Select the Customize option adjoining the IAM sign in link to get started. You should get a Create Account Alias dialog box. Provide a suitable alias name for your account and click on Yes, Create when done:
Voila! Your IAM user's sign-in link is now ready, but before you go ahead and use it, first you have to create some users and groups who will access it:
With the basics out of the way, let's get to the main part of this chapter, that is, creating and working with users and groups.
Users, as the name suggests, are your everyday typical end users who will be interacting with the AWS products and services. Each user is provided with a unique password and a username so they can log in to the AWS Management Console. Along with the basic set of credentials, the users can also enhance their security by leveraging MFA. As discussed earlier, MFA provides a uniquely generated pin or code that is generated on a special hardware device called as a hard token. You can use this MFA pin or code along with your secure credentials to log in to the AWS Management Console.
Users are also provided with a set of access keys. These keys consist of an access key ID and a secret key, both of which can be used to log in to AWS programmatically. When the users are first created in IAM, they do not have a password or any access keys generated for them. This is your task as an AWS administrator, and you must make sure that each user has their own set of keys and passwords generated.
There are a lot of ways that you can start creating users. From the IAM dashboard, select the Manage Users option listed under the Create individual IAM users dialog box, as shown:
This will bring up the users console, using which we will create our very first IAM users. Select the Create New Users option to get started:
In the next page, type in the IAM usernames as required. You can enter up to five names at a time. You can optionally choose to create and generate access keys for each of the users that you create. Select the Generate an access key for each user option as shown and click on Create to proceed:
Select the Download Credentials option to save the user's access IDs and secret keys. This will download a CSV file on to your desktop, which has to be saved in a very secure location. It is very important that you save the keys, as this is the last time you will have access to it. Select Close after you have downloaded your credential keys successfully:
But wait! You are not done yet! You still need to assign your users their passwords. To do this, from the users console page, select the individual user's checkbox, click on the User Actions drop-down menu and select the Manage Password option as shown. You can use this drop-down menu to manage the user's access keys, signing certificates, MFA devices, and so on:
In the Manage Password page, you can either choose to Assign an auto-generated password for your users or provide a custom, temporary password, which the user can change at the first sign in attempt. In our case, we provided our user with a strong password that does not need to be changed at the first login attempt. Once the password is entered, click on Apply to save the changes:
Follow the same process for the rest of your users as well. Make sure you provide them with strong passwords that contain at least one upper case letter, one special character, and some numerical values as well. You can additionally set password policies on your entire account by selecting the Account Settings option from the IAM console's navigation pane. Using the Password Policy page, select the security options that you wish to enable for your account's IAM user passwords. Remember to select Apply password policy to save and enforce the new password policy settings:
With your users created, the next logical entity to create is the group. A group is a collection of IAM users that has a particular set of permissions assigned to it. For example, a set of users who perform administrative tasks can be clubbed under a common group called as administrators, and so on and so forth. In this section, we will create an administrative group for our use case and later assign a user to it. So, let's get started!
First up, from the IAM console, select the Groups option from the navigation pane. This will bring up the groups console using which you can create and administer groups for your AWS account.
Select the Create New Group option to get started. Provide a suitable name for your administrative group; in this case, we provided the name Admin-All-About-Dogs. The Group Name can be anything, but it's advised to keep it meaningful. Click on Next Step to continue:
Next up, we assign permissions to the group using one or two policies. A policy is a document that lists one or more permissions. You can attach policies to virtually anything in AWS, from users and groups to individual AWS resources as well.
To attach a policy to a group, from the Attach Policy page, use the Filter menu and the search box to find suitable policies. In this case, we want this group to have full administrative privileges, and hence we are searching for an Administrator Access policy. In the list of policies, select the appropriate policy and click on Next Step to continue:
In the Review page, review Group Name and the policies that are attached to the group. You can optionally choose to Edit Group Name or Edit Polices as per your requirements here. Once done, click on Create Group to proceed with the group's creation. Similarly, you can create groups for various other departments within your own organization, such as Developers group, Testers group, and so on:
To add users to any particular group, simply select the group's checkbox and from the Group Actions drop-down menu select the Add Users to Group option. This will open up a separate page where you can select your previously created users. You can add one or more users to a group as you see fit. A particular user can also be a part of two or more groups at the same time; however, this is not a recommended practice and should be avoided unless absolutely required. Once the users are selected, click on the Add Users option to complete the process. With this stage completed, you have now successfully created and set up users and groups within your own organization. Now, wasn't that easy! Just remember to use the IAM users sign in link to sign in to the AWS Management Console from now on; the rest of the login process remains the same.
To begin with, let's talk a bit about permissions first. We already used them during the creation of our users, but what actually are permissions and what are their uses?
Permissions provide you with access to and control of various AWS resources. They are also responsible for controlling actions that you can perform on the resources. By default, when you create an IAM user, the user starts as a blank slate, no keys, and no permissions at all. It is your responsibility to assign the users keys and the necessary permissions, which can range from simple novice tasks such as listing resources to creating, updating, and deleting resources, and so on.
Permissions can be classified into two main classes, each briefly explained here:
- User-based permissions: As the name implies, these permissions are attached to IAM users and allow them to perform some action over an AWS resource. User-based permissions can be applied to groups as well. User-based permissions branch out into two further categories called as inline policies and managed policies, both of which we will be discussing shortly. Basically, an inline policy is a policy that is created and managed completely by you, whereas a managed policy is created and managed more by AWS itself.
- Resource-based permissions: These are a special class of permissions that allow you to specify which user has what specific level of access to a particular AWS resource along with what actions they can perform on it. There are a handful of AWS services and resources that support such permissions, including S3 buckets, SNS topics, Amazon Glacier vaults, and so on. Unlike user-based permissions, these categories of permissions are only inline-based. This means that they are completely managed and created by you.
Not clear, eh? Not a problem. Let's walk through this simple example to get a better feel for it. In our use case, we have users created called Jason, Dave, and Chen. Each of these users can be specified a set of user permissions, for example, Dave can have the ability to list, read, and write on Amazon EC2 service, whereas Chen can only have read permissions on the EC2 instances. Jason, on the other hand, being a manager, can have all admin rights and can perform all actions on any of the AWS services.
Resource-based permissions, on the other hand, are allocated directly to resources, so in this case assume that an S3 bucket (a bucket is a like a storage folder where you dump objects) has been allocated permissions to allow both Dave and Chen read-write access, whereas Jason can read, write, and list objects stored in the bucket:
With permissions covered, let's look at policies in a bit more detail. We briefly used policies during the IAM group creation process, and there you learned that a policy is nothing but a collection of permissions put together in a JSON-formatted document. Policies can contain user-based or resource-based permissions. A single permission forms a statement in a policy, and a single policy can contain multiple statements.
Let's look at a simple policy for our reference:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeImages" ], "Resource": "arn:aws:iam::012345678910:user/Chen" } ] }
As you can see, this policy will basically allow the user Chen to only list the EC2 images and instances, in short, simple read-only access. Let's take a closer look at each of this policy's elements:
Version: Theversionspecifies the policy's language. As of date, the current version of the policy language is 2012-10-17. Although not required, it is a good practice to include the version field in your policy statements.Statement: Thestatementis the main starting point for your policy. Unlike theversionfield, thestatementfield is mandatory. Thestatementelement is always enclosed within square brackets[]and can contain other individual statements within itself. Each individual statement should be enclosed by a set of curly brackets{}as shown.Effect: Another mandatory statement, theEffectelement specifies whether the followingActionstatement should result inAlloworDeny. By default, the effect is always set to deny access to AWS resources. This ensures that you set explicit permissions for your IAM users when declaring policies.Action: TheActionelement describes what specific actions are required to be either allowed or denied. Each action statement consists of two main parts, a value that identifies the particular AWS service such as EC2, S3, IAM, and so on, followed by the action value, such asDescribeInstancesandDescribeImages.Resource: The final element required for our policy is theResourceelement. TheResourceelement is used to specify the object or service that the particular set of statements will cover. Resource names are specified by something called as an Amazon Resource Name (ARN). ARNs are a crucial part of IAM and are used to uniquely identify AWS resources. In our reference policy, the ARN uniquely identifies the user Chen from our demo AWS account ID (012345678910) as the resource, which will obtain the necessary permissions based on the actions element.
Tip
These are just the most commonly used set of elements that you can use to get started with your sets of policies. There are a lot more additional sets of elements that comprise a policy. Read more about them at http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html.
Now that we have a basic understanding of what a policy is and what it comprises, let's take a quick look at how you can create and assign them to your IAM users and groups using the AWS Management Console.
To create and assign policies, from the AWS Management Console, select the Identity and Access Management option as done before. Next up, select the Policies option from the IAM console's navigation plane. You should see the policy page as shown.
Using this page, you can filter and list existing policies (both inline and manage policies) using the Filter and Search options. You can even create, update, and delete existing policies; attach and detach policies from users and groups using this page. For starters, let's go ahead and create a simple policy for our IAM users. Select the Create Policy option as shown:
This will pop up the Create Policy wizard. Here, you will be provided with three options, briefly explained as follows:
- Copy an AWS Managed Policy: This option will list all the policies that are designed, created, and managed by AWS itself. This is by far the simplest way to get started with policies.
- Policy Generator: This is a neat tool that will help you build your very own customized policy. The tool includes drop-down options using which you can select various AWS services and their associated actions and effects. The tool even has built in policy validation that verifies whether your policy is syntactically correct or not before deploying it.
- Create your Own Policy: Using this feature, you can actually write your own policy or copy and paste an existing policy here. This feature too comes with a policy validator that verifies the syntax and validity of your custom policy before deployment.
For this scenario, let's go ahead and select the Copy an AWS Managed Policy option. In the Set Permissions page, you can use the Filter and Search bars to search for and select a policy of your choice. In this case, we are selecting Administrator Access Policy created by AWS itself. This policy will ensure that the IAM user attached to it is granted all administrative rights on all the AWS resources. Do note that this is a very crude and high-level permission and is not recommended for use in a production scenario.
In a production scenario, you would have to create individual administrator roles for each of the AWS service that you plan to use and then assign individual users to it as per your requirements. For now; click on the Select option adjoining the AdministratorAccess policy as shown:
This will bring you to the Review Policy page where you can edit and fine tune the policy as per your needs. Note that Policy Document has already been created for your convenience:
In the Review Policy page, you can provide a suitable Policy Name and an optional Description for your new policy. You can even edit the Policy Document if you feel the need to, but in our case, we will leave it as it is. In case you end up editing the Policy Document, then make sure you select the Validate Policy option before you go ahead and deploy the policy.
Once you have completed the changes, select the Create Policy option. With this step, your new custom policy is now ready to be attached to any group or user as you see fit.
To attach a particular policy to a set of users or groups, simply use the Filter and Search bar to find your newly created policy. Once displayed, select the policy you wish to apply by highlighting the checkbox adjoining it, select the Policy Actions drop-down list, and select the Attach option as shown:
This will bring up an Attach Policy page. Here, you can select multiple users and groups at the same time and apply your selected policy to them all in a single go! In our case, we selected the user Jason and the Admin-All-About-Dogs group that we created in our earlier steps. Once you have selected the users and groups, complete the process by selecting the Attach Policy option.
In the previous chapter, we briefly talked about the merits of working with a command line interface versus a GUI. We also got the AWS CLI installed and running on a simple CentOS box. In this section, we are going to go a bit further with that installation and actually configure the AWS CLI for use by an IAM user. Later on, we will see how to use the AWS CLI to perform some common IAM tasks as well. So without further ado, let's get started!
Configuring the AWS CLI is a very simple and straightforward process. All you need are the access ID and the secret keys from any one of your IAM users that we created during the earlier parts of this chapter. Next up, open up a terminal of your Linux box, which has the AWS CLI installed on it, and type in the following command:
# aws configure
Once entered, you will be prompted to enter the user's Access Key ID and the Secret Access Key, along with the default region name and the default output format to use. The default region name is a mandatory field and can be any of the regions from which your users will be operating, for example, us-east-1, us-west-2, and so on:
AWS Access Key ID [None]:TH1$is$0MUC#fuN AWS Secret Access Key [None]:iH@vEN01De@W#@T1@mD01ng#ERe Default region name [None]: us-west-2 Default output format [None]: table
The output format accepts any of these three values as the preferred method to display the output of the commands: table, text, or json.
But what if I have multiple users and each of these users need to access the same Linux box to run the commands? Do I need to share the keys with all the users? A valid question with a simple answer, NO! You never share your keys with anyone! As an alternative, you can set up named profiles for each of your users using their own set of keys using this simple command:
# aws configure --profile jason
Here, we are creating a named profile for our user named Jason. Similarly, you can create multiple named profiles of individual IMA users using this same syntax:
Okay, now that we have the basic configurations done, let's try out the CLI by executing some commands. To start off, let's try listing the users present in our account. Type in the following command:
# aws iam list-users --profile jason
You should get a list of IAM users displayed on your terminal. Notice the output format. Here, you may be viewing the output in a tabular format as our default output format is currently set to table. Also, note that we ran the CLI command using the named profile that we created a short while back. Awesome, isn't it?
Let's try running a few more commands now! Create an IAM user, assign it to an existing group in our AWS account, and attach a policy to it! To begin with, create a new user using this simple command:
# aws iam create-user --user-name YoYo --profile jason
This command will only create a user for you. This user still does not have any passwords or access keys generated for it, so let's go ahead and create some! Type in the following command to create a password for your user:
# aws iam create-login-profile --user-name YoYo --password P@$$w0rD --profile jason
Here, we passed two mandatory arguments with the commands --user-name and –password:
Besides these, you can additionally pass an optional argument called --password-reset-required. This field will ensure that the IAM user has to reset his/her password upon first login from the AWS Management Console. Only then will this new user be authorized to work with the CLI. In our case, we have not provided this argument, thus resulting in a fixed password which the user does not need to change.
Once the passwords are created, we go ahead and create the user's all important access key and Secret Key. To do so, type in the following command as shown:
# aws iam create-access-key --user-name YoYo --profile jason
The create-access-key command requires only one mandatory argument, which is the username itself. Once executed, it will display the user's access and Secret Keys respectively in the output. Make sure you save the Secret Key as this is the last time it will be shown to you for obvious security reasons. With this step, your new IAM user is all ready to be added to groups! Previously in this chapter we created a few groups for our own reference using the AWS Management Console. You can either attach your new users to existing groups or can even go ahead and create new groups as per your requirements. In this case, we will be creating a new group and attaching our user to it. Type in the following command to create a new group:
# aws iam create-group --group-name SuperUsersGroup --profile jason
The output should display the new group's ARN as well as the Group ID as shown:
With the group created, it's now time to attach our new user to it. Simply type in the following command as shown:
# aws iam add-user-to-group --user-name YoYo --group-name SuperUsersGroup --profile jason
This command accepts two mandatory arguments, which include the username as well as the group name to which the user has to be attached to. You should get no output from the execution of this command if it was run successfully.
With this step, we completed adding our new user to a new group. But wait, our task is not yet done. We still have to enforce some access permissions on this group; so let's quickly add a simple policy to it.
First up, create a simple JSON-based file on your Linux box. This JSON file will contain your new group's or user's set of permissions. For simplicity, I created a very basic policy that will grant its users complete access to all of AWS's products and resources. Run the following command to first create your policy:
# vi /tmp/MyPolicy.json Add the following contents to your policy file as shown: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
The commands will look as follows:
Next, run the following command to attach this policy document to your newly created group or user:
# awsiam put-group-policy --user-name YoYo --policy-name Admin-Access-All-About-Dogs --policy-document file:///tmp/MyPolicy.json --profile jason
With this step completed, you now should have a fully configured user and group created for your organization using the AWS CLI. Simple, wasn't it!