AWS Identity and Access Management

-

 IAM



Introduction to IAM - 

  • AWS identity and management is a web service that helps you to securely control access to AWS resources
  • You use IAM to control who is authenticated and authorized to use resources
  • IAM allows you to create and manage AWS users and groups, and use permissions to allow or deny their access to AWS resources
  • IAM is a fundamental part of AWS security, as it allows you to implement the principle of least privilege, ensuring that users and applications have only the permissions they need to perform their tasks
  • IAM also provides features such as multi-factor authentication (MFA), password policies, and access keys to enhance the security of your AWS environment

Features of IAM - 
  • IAM User  -  
  • IAM allows you to create and manage users in your AWS account
  • Each IAM user has a unique name and security credentials, which are used to authenticate and authorize their access to AWS resources
  • IAM users have security credentials that are used for authentication and authorization. These credentials include:
  • Password: IAM users can have a password for logging in to the AWS Management Console.
  • Access Key ID and secret Access Key: IAM users can also have access keys, which are used for programmatic access to AWS services
  • No permissions by default. Nothing is allowed
  • IAM Groups -
  •  Groups allow you to organize users and manage their permissions collectively. Instead of assigning permissions to individual users, you can assign permissions to groups and then add users to those groups 
  • Using groups simplifies the process of managing permissions, especially in large organizations with many users. Instead of managing permissions for each user individually, you can manage permissions for groups of users who have similar roles or responsibilities
  •  For example, you could create a group called "Developers" and assign permissions to that group that allow members to access development resources. You can then add users to the "Developers" group as needed, and they will inherit the permissions assigned to that group 

  • IAM Policies
  • Policies are JSON (Java Script Object Orientaion) documents which mention what an user or group can do on AWS recources
  • It defines the authorization paradigm for AWS resources
  • It contains 3 components at least (EAR)   
  1. EFFECT : whether actions are allowed/denied on resources
  2. ACTIONS : what actions are allowed and denied 
  3. RESOURCES : AWS resources like ec2,s3,RDS
  • Policies can be attached to users or groups
  • There are 3 types of policies 
  1. AWS managed policies
  2. customer managed policies
  3. inline policies

  • IAM Roles - 
  • Role is similar to an user/groups which has permissions/policies attached to it
  • Roles are temporary access given to anyone who needs to perform specific task mentioned in the role
  • permissions attached to the users are taken away till the time role is getting used 

  • Multi-Factor Authentication (MFA) - 
  • IAM supports multi-factor authentication, adding an extra layer of security to your AWS account
  • You can require users to provide an additional authentication factor, such as a code from a hardware token or a mobile app, in addition to their password 
  • Users can choose between a virtual MFA device (e.g., Google Authenticator) or a hardware MFA device (e.g., YubiKey)

  • Password Policies - 




  • Identity Federation - 
  • Identity federation in AWS IAM allows you to grant temporary access to AWS resources to users who are authenticated by an external identity provider (IdP). This enables you to use your existing identity management system to manage access to AWS resources, without requiring users to have AWS-specific credentials 
  • SAML identity federation (security assertion mark of language)
  • Register AWS corporate idp (LDAP)
  • that will generate metadata XML
  • create a SAML Identity provider with SAML  metadata
  • create roles
  • these roles should be mapped with organizations assertation 
                   script "principal" : {"AWS" : "ARN of SAML provider}
                                "Actions" : "sts :AssumeRoleWithSAML"





  • Thats all for IAM guyss please email if you have any corrections, additions, queries or to discuss something about above points. EMAIl - mahajanrohit759@gmail.com
  • Please share it with your friends







Comments

  1. Shastri24 February 2024 at 22:18

    This is amazing work

    ReplyDelete
  2. Supra9 April 2024 at 10:44

    omg sir so goood sirrrrrrr
    sirr please reply sir please
    big fan sir big fan

    ReplyDelete

Post a Comment

Popular posts from this blog

AWS Instance Store

-
Image
 AWS Instance Store  AWS Instance Store -  Hardware storage directly attached to EC2 instance amd cannot be detached and attached to another instance  Highest IOPS for any available storage Ephemiral Storage (Loses data when instance is terminated, stopped or hibernated) Good to buffer/cache/scratch data/temporary content  AMI created from an instance does not its instance store volume preserved  You can specify the instance store volumes to an instance when you launch the instance. You can't attach instance store volumes to an instance after you’ve launched it. Raid -  Raid 0  Improve performance of a storage volume by distributing reads and write in a stripes across attached volumes  If you add a storage volume you get the straight addition of throughput and iops For high performance applications Raid 1   Improve data availability by mirroring in multiple volumes For critical applications
Read more

Elastic Block Storage (EBS)

-
Image
 Elastic Block Storage (EBS) Elastic Block Storage (EBS) -  AWS Elastic Block Storage is a web service that provides block level storage volumes for use with amazon EC2 instances Amazon EBS volumes are highly available and reliable storage volumes that can be attached to any running instance and used like hard drive Amazon EBS allows you to create storage volumes and attach them to EC2 instances   It is used for various databses (both relational and non relational) as well as a wide range of application such as software testing and development  EBS provides a high performance option for many use cases it is directly attached to the instance Features of EBS  -  Amazon Elastic Block Storage  Region and availability zones are multiple physical location for your resources such as instances and EBS volumes Using security groups, you can specify the protocols, ports and source IP ranges that can reach your instances Elastic IP addresses are static IPv4 ...
Read more