IAM Fundamentals: Users, Groups, Roles, Policies

Lesson Objectives

By the end of this lesson, you will:

1. Understand the core components of AWS Identity and Access Management (IAM).
2. Learn the roles of Users, Groups, Roles, and Policies in managing permissions.
3. Explore best practices for securing AWS accounts with IAM.
4. Create users, groups, and roles in a hands-on lab.

Introduction: Controlling Access in AWS

Imagine you’re managing a shared workspace. You need to assign access to different people based on their responsibilities: developers need access to the code repository, while accountants need access to billing information. AWS Identity and Access Management (IAM) helps you control who can access your AWS resources and what actions they can perform.

IAM is the backbone of AWS security, allowing you to manage identities and permissions effectively. In this chapter, we’ll break down IAM’s core components and set up a basic access control system.

What is IAM?

Identity and Access Management (IAM) is a service that enables you to manage access to AWS resources securely. It provides tools to define who can access your resources, how they can access them, and under what conditions.

Key Features:

1. Granular Permissions: Define precise permissions for each user or group.
2. Secure Access: Use Multi-Factor Authentication (MFA) and temporary credentials.
3. Centralized Management: Manage identities and permissions in one place.

IAM Core Components

1. Users

• Definition: Represents an individual who interacts with AWS resources.
• Key Points:
  • Each user has a unique set of credentials (username, password, and access keys).
  • Users can be assigned permissions directly or through groups.

2. Groups

• Definition: A collection of IAM users.
• Key Points:
  • Permissions assigned to a group apply to all its members.
  • Example: Create a Developers group with access to EC2 and S3.

3. Roles

• Definition: Assign permissions to AWS services or applications without using a specific user’s credentials.
• Key Points:
  • Roles are assumed temporarily.
  • Example: An EC2 instance assumes a role to access an S3 bucket.

4. Policies

• Definition: JSON documents that define permissions.
• Key Points:
  • Policies specify actions, resources, and conditions.
  • Example: A policy allowing s3:GetObject on a specific bucket.

Best Practices for IAM

1. Follow the Principle of Least Privilege:
   • Grant only the permissions users need to perform their tasks.
2. Enable Multi-Factor Authentication (MFA):
   • Add an extra layer of security for critical accounts, especially the root user.
3. Use Roles for Applications and Services:
   • Avoid embedding access keys in application code. Use roles instead.
4. Rotate Access Keys Regularly:
   • Ensure that access keys are rotated and unused keys are deactivated.
5. Monitor and Audit IAM Activity:
   • Use AWS CloudTrail to track changes to IAM configurations and user activity.

Step-by-Step Lab: Setting Up IAM Users, Groups, and Roles

Scenario: Set up IAM for a small team with two users: a developer and a manager. The developer needs access to EC2 and S3, while the manager needs access to billing information.

Step 1: Create IAM Users

1. Log in to AWS:
   • Open the AWS Management Console and search for IAM.
2. Add Users:
   • Click Users > Add Users.
   • Add the following users:
     • Name: DeveloperUser (Programmatic Access).
     • Name: ManagerUser (AWS Management Console Access).
3. Assign Passwords:
   • For ManagerUser, set a password for console login.

Step 2: Create IAM Groups

1. Navigate to Groups:
   • In the IAM dashboard, click Groups > Create Group.
2. Create Developer Group:
   • Name: Developers.
   • Attach the following policies:
     • AmazonEC2FullAccess.
     • AmazonS3FullAccess.
3. Create Manager Group:
   • Name: Managers.
   • Attach the following policy:
     • Billing.
4. Add Users to Groups:
   • Add DeveloperUser to the Developers group.
   • Add ManagerUser to the Managers group.

Step 3: Create an IAM Role

1. Navigate to Roles:
   • Click Roles > Create Role.
2. Create a Role for EC2:
   • Select AWS Service as the trusted entity.
   • Choose EC2.
   • Attach the following policy:
     • AmazonS3FullAccess (to allow EC2 instances to access S3).
   • Name the role EC2S3AccessRole.
3. Assign Role to an EC2 Instance:
   • Launch an EC2 instance and attach the EC2S3AccessRole role.

Step 4: Test the Setup

1. Verify User Access:
   • Log in as DeveloperUser and ensure access to EC2 and S3.
   • Log in as ManagerUser and check access to billing information.
2. Test Role Access:
   • SSH into the EC2 instance with the role assigned.
   • Run the following command to test S3 access:
     

     
     aws s3 ls
     

Reflection: The Power of IAM

IAM enables secure, scalable management of access to AWS resources. In this lesson, you:

1. Created users and groups to manage permissions efficiently.
2. Used roles to allow services to interact securely with each other.
3. Applied policies to enforce the principle of least privilege.

This foundational knowledge ensures your AWS environment remains secure and well-organized.

What’s Next?

In the next chapter, we’ll explore Monitoring and Cost Optimization, starting with AWS CloudWatch to monitor resource usage and set up alarms for proactive management.

Your IAM skills are solid—let’s move into monitoring and optimization!