AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.

 

Key features of IAM:

Granular Permissions: Define fine-grained access control to AWS resources.

Multi-Factor Authentication (MFA): Add an extra layer of security.

Identity Federation: Integrate with existing corporate directories.

Access Analyzer: Identify resources shared with external entities.

Temporary Security Credentials: Grant temporary access to resources.

 

AWS IAM Policy

Ø  AWS Managed Policies

Ø  Customer-Managed Policies

Ø  Multi-Factor Authentication (MFA)

Ø  Granular Control Using Policies

Ø  Identity Federation

 

Types of IAM Policies

1.       Managed Policies

a.       AWS Managed Policies

b.       Customer Managed Policies

2.       Inline Policies

3.       Resource-Based Policies

4.       Permission Boundaries

5.       Service Control Policies (SCPs)

6.       Organizations SCPs (service control policy)

7.       Organizations RCPs (resource control policy)

8.       Access control lists (ACLs)

 

Grant least privilege

When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users and roles need to do and then craft policies that allow them to perform only those tasks.

Understand access level groupings –

Service

Access level

This policy provides the following

IAM

Full access

Access to all actions within the IAM service.

CloudWatch

Full: List

Access to all CloudWatch actions in the List access level, but no access to actions with the Read, Write, or Permissions management access level classification.

Data Pipeline

Limited: List, Read

Access to at least one but not all AWS Data Pipeline actions in the List and Read access level, but not the Write or Permissions management actions.

EC2

Full: List, Read Limited: Write

Access to all Amazon EC2 List and Read actions and access to at least one but not all Amazon EC2 Write actions, but no access to actions with the Permissions management access level classification.

S3

Limited: Read, Write, Permissions management

Access to at least one but not all Amazon S3 Read, Write and Permissions management actions.

 

Types of IAM roles

Ø  Service roles

Ø  Cross-account access roles

Ø  Web identity roles

Ø  SAML 2.0 federation roles

Ø  Custom roles

 

IAM User Permissions

Permission Level

Description

Administrator Access

Full access to all AWS services and resources.

Read-Only Access

Can view resources but cannot create, modify, or delete them.

Power User Access

Full access to most AWS services but cannot manage IAM users or groups.

Billing Access

Access to view and manage AWS billing and cost management.

Custom Permissions

Granular access to specific services, actions, or resources based on policies.

 

IAM Group Permissions

Permission Level

Description

Administrator Group

Users in this group have full access to all AWS services and resources.

Read-Only Group

Users can only view resources but cannot make changes.

Power User Group

Users have full access to most services but cannot manage IAM users or groups.

Billing Group

Users can manage billing and cost-related tasks.

Custom Group

Users have permissions defined by custom policies attached to the group.

 

Access Levels

Access Level

Description

Full Access

Unrestricted access to all actions and resources within a service.

Read-Only Access

Ability to view resources but not modify or delete them.

Write Access

Ability to create, modify, or delete resources.

List Access

Ability to list resources but not view details or modify them.

No Access

No permissions to access the service or resource.

 

Key Differences

Feature

AWS IAM Power User

Azure Contributor Role

Scope

AWS services and resources.

Azure resources within a subscription or resource group.

Resource Management

Full access to most AWS services.

Full access to Azure resources.

IAM/Role Management

Cannot manage IAM users, groups, or policies.

Cannot manage role assignments or permissions.

Billing/Account Access

No access to billing or account settings.

No access to subscription-level settings.

Use Case

Developers/power users in AWS.

Resource managers in Azure.

 

 

 

Conclusion

One effective technique for controlling access to AWS resources is AWS IAM. By understanding and utilizing its features, such as granular permissions, MFA, and identity federation, you can ensure that your AWS environment is both secure and efficient. Always follow the principle of least privilege to minimize security risks and tailor permissions to the specific needs of your users and roles.