Amazon Web Services (AWS) cloud provides a secure virtual platform where users can deploy their applications. Compared to an on-premises environment, AWS security provides a high level of data protection at a lower cost to its users. There are many types of security services, but Identity and Access Management (IAM) is one the most widely used. AWS IAM enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions
to allow and deny their access to AWS resources. Let us begin this AWS IAM tutorial by understanding AWS security. Cloud security is the highest priority in AWS. When you host your environment in the cloud, you can be assured that it’s hosted in a data center or
in a network architecture that’s built to meet the requirements of the most security-sensitive organization. Additionally, this high level of security is available on a pay-as-you-go basis, meaning there is really no upfront cost, and the cost for using the service is a lot cheaper compared to an on-premises environment. There are many types of security services available but some of them are widely used by
AWS, such as: We shall deal with IAM in this tutorial. IAM enables you to manage access to AWS services and resources in a very secure manner. With IAM you can create groups and allow those users or groups to access some servers, or you can deny them
access to the service. Why IAM?Before AWS or IAM, passwords were often shared in corporate environments in a very insecure manner: over the phone or through email. Often only one admin password existed, which was commonly stored in a set location, or there was only one person who could reset it, and you needed to call the person to ask for the admin password over the phone. That was not secure at all, because anybody could walk by and eavesdrop and then walk away with the password and access to your system and information. Today we have a more secure communication tool: a third-party application called Slack, which is hosted on AWS. It helps people to share a document through the application so that eavesdropping is eliminated. In the next section of the AWS IAM tutorial, let us understand what IAM is. What is IAM?AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS resources. It enables you to create and control services for user authentication or limit access to a certain set of people who use your AWS resources. How Does IAM Work?The IAM workflow includes the following six elements:
Let us explore the components of IAM in the next section of the AWS IAM tutorial. Components of IAMThere are other basic components of IAM. First, we have the user; many users together form a group. Policies are the engines that allow or deny a connection based on policy. Roles are temporary credentials that can be assumed to an instance as needed.
An IAM user is an identity with an associated credential and permissions attached to it. This could be an actual person who is a user, or it could be an application that is a user. With IAM, you can securely manage access to AWS services by creating an IAM user name for each employee in your organization. Each IAM user is associated with only one AWS account. By default, a newly created user is not authorized to perform any action in AWS. The advantage of having one-to-one user specification is that you can individually assign permissions to each user.
A collection of IAM users is an IAM group. You can use IAM groups to specify permissions for multiple users so that any permissions applied to the group are applied to the individual users in that group as well. Managing groups is quite easy. You set permissions for the group, and those permissions are automatically applied to all the users in the group. If you add another user to the group, the new user will automatically inherit all the policies and the permissions already assigned to that group. This lessens the administrative burden.
An IAM policy sets permission and controls access to AWS resources. Policies are stored in AWS as JSON documents. Permissions specify who has access to the resources and what actions they can perform. For example, a policy could allow an IAM user to access one of the buckets in Amazon S3. The policy would contain the following information:
In JSON format that would look like this: There are two types of policies: managed policies and inline policies.
An IAM role is a set of permissions that define what actions are allowed and denied by an entity in the AWS console. It is similar to a user in that it can be accessed by any type of entity (an individual or AWS service). Role permissions are temporary credentials. For example, you might want to allow a mobile app to use AWS resources, but you do not want it to save the key, credential or password. Or you might want to give access to resources to a user who already has an identity defined outside of AWS, such as a user who already has Google or Facebook authentication. If you want to provide someone with a service or let someone access resources in your account, you can use roles for that purpose too. You also might want to grant temporary access to your account to a third party, such as a consultant or an auditor. They’re not permanent users, just users with temporary access to your environment. Let us explore the features of IAM in the following section of the AWS IAM tutorial. Gain proficiency in AWS IAM and the security attributes with the AWS Certification Training. Check out the course preview now. Features of IAMTo review, here are some of the main features of IAM:
In the last section of the AWS IAM tutorial, let us go through a demo on how to create an S3 bucket using the multifactor authentication (MFA) feature. Demo: Create an S3 Bucket Using the MFA FeatureThe final segment of this article puts together all of the information presented and uses it to solve a basic problem. Problem statement: To create an S3 bucket for a company in which each user can read and write data with multifactor authentication. Task: To create policies and assign permissions for a user and a group.
This is a very good use case if you have sensitive data in an S3 bucket and you want only privileged or MFA-authenticated users to make changes to those buckets. For those privileged users, you would enable multifactor authentication. ConclusionThe information provided in this AWS IAM tutorial gave you a clear idea of AWS security and IAM. Amazon Web Services offers many remote computing services apart from security services. As companies across the world are adopting AWS Cloud, there will be a huge demand for professionals who have in-depth knowledge of AWS principles and services. Simplilearn makes it easy for you to upgrade yourself and gain expertise in AWS through the AWS Solutions Architect Certification Training Course. Get started today and excel in the field of Amazon Web Services. How do I secure my network access to my AWS resources?Short description. Safeguard your passwords and access keys.. Activate multi-factor authentication (MFA) on the AWS account root user and any users with interactive access to AWS Identity and Access Management (IAM). Limit AWS account root user access to your resources.. Audit IAM users and their policies frequently.. Which of the following service enables you to manage access to AWS services and resources securely?With AWS Identity and Access Management (IAM), you can specify who or what can access services and resources in AWS, centrally manage fine-grained permissions, and analyze access to refine permissions across AWS.
Which IAM role that grants permissions to an AWS service so it can access AWS resources?You should use IAM roles to grant access to your AWS accounts by relying on short-term credentials, a security best practice. Authorized identities, which can be AWS services or users from your identity provider, can assume roles to make AWS requests. To grant permissions to a role, attach an IAM policy to it.
What are the ways user can access resources in their AWS account?You can set up a trust relationship with an IAM role in another AWS account to access their resources. For example, from the source account you want to access the destination account. You can assume the IAM role from the source to destination account by providing your IAM user permission for the AssumeRole API.
How do you protect access to and the use of the AWS account root user credentials choose two?Here are some ways to do that:. Access keys. ... . Never share your AWS account root user password or access keys with anyone.. Use a strong password to help protect access to the AWS Management Console. ... . Enable AWS multi-factor authentication (MFA) on your AWS account root user account.. What do you use to protect a set of AWS resources?MFA is the best way to protect accounts from inappropriate access. Always set up MFA on your Root user and AWS Identity and Access Management (IAM) users. If you use AWS IAM Identity Center to control access to AWS or to federate your corporate identity store, you can enforce MFA there.
|