IAM in AWS | What is Roles | What is Policy | What is Users | What is Group:
AWS Identity and Access Management (IAM) is a key component for securely managing access to AWS services and resources. By learning IAM, you gain control over user permissions and roles, helping maintain a secure environment and ensuring users can only access what they’re authorized for.
Here's a structured guide to understanding AWS IAM, followed by practical assignments to reinforce learning.
1. What is IAM in AWS?
IAM (Identity and Access Management) is a service that enables you to control access to AWS resources securely. IAM helps you:
- Create and manage AWS users and groups.
- Control access permissions for each user or group.
- Define policies that grant or deny specific AWS service access.
2. How IAM Works
IAM works by using policies to define permissions:
- User: A person or application accessing AWS resources.
- Groups: A collection of users with shared permissions.
- Roles: Assignable permissions, usually for applications or services requiring access to AWS resources.
- Policies: JSON documents specifying permissions, attached to users, groups, or roles.
Certainly! Here’s a comprehensive guide with step-by-step tutorials combined with flowcharts for AWS IAM, making each step visual and actionable.
Step 1: Creating an IAM User
Flowchart & Steps:
1.1)
Start --> IAM Console --> Create User --> Configure Access Type
| |
|--> Console Access --> API Access (Access Keys)
| |
| |
Assign Permissions |
| |
|--> Attach Policy --> Review and Create User
|
User Created!
1 Open the IAM Console** in AWS Management Console.
2. Create New User:
- Enter a Username (e.g., "developer1").
- Choose Access Type: Select AWS Management Console access for console-based access or **Programmatic access** for API-based access (generates an access key and secret key).
3. Assign Permissions:
Choose Attach existing policies directly and attach policies like AmazonS3FullAccess
4. Review and Create User:** Confirm your selections and click **Create user** to finish.
Assignment 1:
Objective: Create an IAM user with S3 access only.
Steps: Follow the above steps but attach only the **AmazonS3ReadOnlyAccess** policy instead of AdministratorAccess.
Step 2: Understanding and Creating IAM Policies
Flowchart & Steps
Start --> IAM Console --> Policies --> Create Policy --> Choose Service
| | |
|--> Select Permissions <----+--> Set Policy Conditions
| |
|--> Write JSON Policy --> Attach to Users/Roles
```
1. Open Policies in IAM Console** and select **Create policy**.
2. Define Policy Using Visual Editor:**
Choose Service: Select the AWS service (e.g., S3, EC2).
Select Actions: Specify actions like `s3:ListBucket` or `s3:GetObject`.
3. **Add Conditions:** (Optional) Add conditions like IP restrictions or MFA requirements.
4. **Review and Save Policy:** Save and attach this policy to users, groups, or roles.
#### **Assignment 2:**
**Objective:** Create a custom policy that grants EC2 start/stop permissions.
**Steps:** Define a policy that allows `ec2:StartInstances` and `ec2:StopInstances`. Attach it to an IAM user.
---
### **Step 3: Working with IAM Groups**
#### **Flowchart & Steps**
```
Start --> IAM Console --> Groups --> Create Group --> Name the Group
| |
|--> Attach Policies --> Add Users to Group
|
Group Created!
```
1. **Navigate to Groups in IAM Console** and click **Create New Group**.
2. **Name the Group:** Enter a group name (e.g., "Developers").
3. **Attach Policies:** Select policies that apply to this group (e.g., **AmazonS3ReadOnlyAccess**).
4. **Add Users to Group:** Add users to this group to apply permissions.
#### **Assignment 3:**
**Objective:** Create a "ReadOnly" group for all AWS services.
**Steps:** Use the **ReadOnlyAccess** policy and add users to the group.
---
Step 4: Creating and Using IAM Roles**
Flowchart & Steps
Start --> IAM Console --> Roles --> Create Role --> Choose Trusted Entity
| |
|--> AWS Service (EC2, Lambda) --> Choose Policies
| |
|--> Attach Policy --> Assign Role to Resource
|
Role Created!
```
1. **Open Roles in IAM Console** and click **Create Role**.
2. **Choose Trusted Entity:** For example, select **AWS Service**.
3. **Select Use Case:** Specify if the role is for EC2, Lambda, etc.
4. **Attach Policy:** Choose policies like **AmazonS3ReadOnlyAccess** or **AWSLambdaBasicExecutionRole**.
5. **Assign Role to Resource:** Attach this role to an EC2 instance or Lambda function as needed.
#### **Assignment 4:**
**Objective:** Create a Lambda execution role with permissions to read from DynamoDB.
**Steps:** Attach the **AWSLambdaBasicExecutionRole** and **AmazonDynamoDBReadOnlyAccess** policies to the role.
Step 5: Enabling Multi-Factor Authentication (MFA)**
Flowchart & Steps**
Start --> IAM Console --> Users --> Select User --> Security Credentials
| |
|--> Enable MFA |
|--> Choose MFA Device |
|
MFA Enabled!
```
1. **Open IAM Console** and navigate to **Users**.
2. **Select User** and go to **Security credentials**.
3. **Enable MFA:** Click **Manage** next to **Assigned MFA device** and select **Virtual MFA device**.
4. **Configure MFA Device:** Scan the QR code or enter a setup key to enable MFA.
**Assignment 5:**
**Objective:** Enable MFA for an IAM user and log in to test MFA.
**Steps:** Follow the above process to enable MFA and log in to verify the setup.
---
### **Step 6: Monitoring and Auditing IAM Activities with CloudTrail**
#### **Flowchart & Steps**
```
Start --> CloudTrail Console --> Create Trail --> Define Trail Name
| |
|--> Configure S3 Storage --> Enable Logging
| |
|--> Set IAM Permissions --> Monitor Events
|
Audit Logs Ready!
```
1. **Open CloudTrail Console** in the AWS Management Console.
2. **Create a Trail:** Click on **Create trail** and provide a trail name.
3. **Configure S3 Storage:** Choose an S3 bucket to store the CloudTrail logs.
4. **Enable IAM Permissions Monitoring:** Ensure that the trail includes management events (for IAM actions).
5. **Review Logs in CloudTrail:** Access the S3 bucket to review and analyze logs.
Assignment 6:
Objective: Set up CloudTrail to monitor IAM activities.
Steps:Create a trail that logs IAM events to an S3 bucket and review the logs.
How to create role and assigned to specific user by root user to upgrade permission:
Step1st:
create IAM User with custom password and provide S3ReadOnlyAccess Policy
Step2nd:
Create Role name as ManagerRole and add S3FullAccess policy
Step3rd:
Login under IAM user credential and switch to role
Step4th:
It provide Administrator Access Error
Step-5th:
Go into role of root user account and click on trust relationship section and add user under json policy in principle section.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "s3.amazonaws.com",
"AWS": "arn:aws:iam::024848474675:user/navneet"
},
"Action": "sts:AssumeRole"
}
]
}
POST Answer of Questions and ASK to Doubt