AWS Guide :: Part 1 :: IAM Users/Groups/Permissions

IAM: Users & Groups

• Identity and Access Management (IAM) is a global service that handles user authentication and permissions.
• The root account is automatically generated but should not be utilized or shared.
• Users refer to individuals within your organization and can be organized into groups.
• Groups exclusively consist of users and do not include other groups.
• Users are not required to be a part of any group, and they can belong to multiple groups simultaneously.

IAM: Permissions

• Users and groups have the ability to be assigned JSON documents known as policies.
• These policies serve to define the permissions granted to users.
• When working with AWS, it is advisable to adhere to the principle of least privilege, meaning that users should only be granted the permissions they specifically require.
• Example Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    },
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "NotResource": "arn:aws:s3:::example-bucket/sensitive-file.txt"
    }
  ]
}

IAM Policies Structure

• Version: Specifies the version of the policy language being used. In this case, it is “2012-10-17”.
• Statement: Contains an array of statements that define the permissions.
• Each statement consists of the following elements:
  • Effect: Specifies whether the statement allows or denies access. It can have values like “Allow” or “Deny”.
  • Action: Specifies the actions or operations that are allowed or denied. It can be a single action or an array of actions.
  • Resource: Specifies the AWS resource or resource ARN (Amazon Resource Name) to which the permissions apply. It can be a single resource or a wildcard pattern.
  • NotResource: Specifies the resources to which the statement does not apply. It is used in combination with the Deny effect to exclude specific resources from the permissions.

In the provided example, the policy allows the GetObject and PutObject actions for objects in an S3 bucket named “example-bucket” (arn:aws:s3:::example-bucket/*). However, it denies all S3 actions (s3:*) for a specific file named “sensitive-file.txt” (arn:aws:s3:::example-bucket/sensitive-file.txt).

IAM Policies inheritance

In IAM (Identity and Access Management) in AWS, IAM policies can be inherited and applied to users, groups, and roles. The inheritance of IAM policies follows a hierarchical structure. Here’s a brief overview:

1. User-level policies: IAM policies can be directly attached to individual IAM users. These policies define the permissions and access controls specific to that user.
2. Group-level policies: IAM policies can also be attached to IAM groups. When a user is added to a group, they inherit the permissions defined in the group-level policies. This allows for easier management of permissions for multiple users who share similar roles or responsibilities.
3. Role-level policies: IAM policies can be associated with IAM roles. Roles are meant to be assumed by users or AWS services. When a user or service assumes a role, they inherit the permissions defined in the role-level policies. This enables temporary access and delegation of permissions to different entities.

When a user is part of multiple groups or assumes multiple roles, the permissions from all the attached policies are combined, resulting in the cumulative set of permissions for that user or role.

It’s important to note that in the case of conflicts or inconsistencies between policies, the most restrictive permission takes precedence. This principle aligns with the “least privilege” concept, where users are only granted the minimum permissions necessary to perform their tasks, enhancing security and reducing the risk of accidental or intentional misuse of privileges.

By utilizing IAM policy inheritance, organizations can effectively manage and assign granular permissions across their AWS resources while maintaining control and security.

IAM – Password Policy

IAM (Identity and Access Management) in AWS provides a feature called “IAM password policy” that allows organizations to define and enforce password requirements for their AWS users. The IAM password policy helps enhance the security of user accounts by promoting the use of strong and regularly updated passwords. Here’s an explanation of the key aspects of IAM password policy:

1. Password length: Organizations can specify the minimum password length required for user accounts. This ensures that passwords are not easily guessable and provides a basic level of security.
2. Password complexity: The password policy can enforce rules for password complexity, such as requiring a combination of uppercase and lowercase letters, numbers, and special characters. This helps to create stronger passwords that are more resistant to brute-force attacks.
3. Password expiration: Administrators can set a maximum password age, after which users will be prompted to change their passwords. This enforces regular password updates, reducing the risk of compromised accounts due to long-term use of the same password.
4. Password reuse prevention: Organizations can configure the policy to prevent users from reusing their previous passwords. This ensures that users regularly choose new and unique passwords.
5. Password requirements: The policy can enforce additional requirements, such as preventing the use of common or easily guessable passwords, and disallowing the inclusion of the user’s name or account ID in the password.
6. Account lockout: IAM password policy can specify the number of failed login attempts allowed before an account gets locked. This protects against brute-force attacks and unauthorized access attempts.

By implementing an IAM password policy, organizations can establish consistent password requirements across their AWS accounts, promoting strong password practices and reducing the risk of unauthorized access. It is important to regularly review and update the password policy to align with evolving security best practices and industry standards.

Multi Factor Authentication – MFA

IAM MFA (Multi-Factor Authentication) is a security feature provided by AWS (Amazon Web Services) that adds an additional layer of protection to user accounts within the IAM (Identity and Access Management) service. MFA requires users to provide two or more pieces of evidence to verify their identity when signing in to AWS services or performing sensitive operations. Here’s an explanation of how IAM MFA works:

1. MFA devices: IAM MFA requires users to associate an MFA device with their IAM user account. The MFA device can be a physical device, such as a hardware token or a virtual device, such as a mobile application (e.g., Google Authenticator or AWS Virtual MFA).
2. Enrollment: Users need to enroll their MFA device with AWS and link it to their IAM user account. During the enrollment process, a unique serial number is generated for the MFA device.
3. Authentication process: When a user attempts to sign in to an AWS service or perform a sensitive operation, IAM requires them to provide two factors of authentication:
   • Factor 1: The user’s regular IAM username and password.
   • Factor 2: A one-time password (OTP) generated by their MFA device.
4. Generating OTP: The MFA device generates a new OTP at fixed time intervals. The user enters this OTP along with their username and password during the authentication process.
5. Verification: AWS verifies the entered OTP against the OTP generated by the user’s registered MFA device. If the OTPs match, the user is granted access to the requested AWS service or operation.

The purpose of IAM MFA is to add an extra layer of security by requiring users to possess both something they know (username/password) and something they have (MFA device) in order to gain access to their IAM accounts. This mitigates the risk of unauthorized access, even if the user’s password is compromised.

Enabling IAM MFA is highly recommended for privileged accounts, such as administrators or users with elevated permissions, to provide an additional safeguard against unauthorized access and protect critical resources in AWS.

MFA devices options in AWS

AWS IAM (Identity and Access Management) supports several MFA (Multi-Factor Authentication) device options that users can choose from to enhance the security of their AWS accounts. The MFA device options offered by AWS include:

1. Virtual MFA devices: AWS Virtual MFA is a software-based MFA solution that can be installed on a mobile device. It generates time-based one-time passwords (TOTPs) that users can use as the second factor for authentication. The most commonly used virtual MFA apps are Google Authenticator, Authy, and Microsoft Authenticator.
2. U2F security keys: U2F (Universal 2nd Factor) security keys are physical devices that provide strong authentication. They connect to a computer or mobile device via USB or NFC and are used to generate cryptographic keys for authentication. U2F keys offer an extra layer of security and protection against phishing attacks.
3. Hardware MFA devices: AWS supports various hardware MFA devices, such as key fobs or smart cards, which generate one-time passwords. These devices are provided by third-party vendors and are often used in organizations that require physical tokens for authentication.
4. SMS text messages: While not a dedicated MFA device, AWS also allows users to receive one-time passwords via SMS text messages. This option utilizes the user’s mobile phone to receive the OTP for authentication. However, it’s worth noting that SMS-based authentication is generally considered less secure than other MFA methods, as it is susceptible to SIM swapping attacks or interception of SMS messages.

When configuring MFA for an IAM user, users can choose the MFA device option that best suits their needs and preferences. It’s recommended to opt for hardware-based or virtual MFA devices, as they provide stronger security compared to SMS-based authentication.