AWS - IAM

Posted GoldenaArcher

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了AWS - IAM相关的知识,希望对你有一定的参考价值。

AWS IAM

自用笔记。

Terms

IAM - Identity and Access Management, a global service

  • it gives:

    • Centralized control of AWS account
    • Shared access to AWS account
    • Granular permissions
    • Identity Federation, i.e., Facebook, LinkedIn etc.
  • it allows:

    • Multi-Factor Authentications
    • Temporary access for users/devices and services
    • Set up own password rotationpolicy.
    • Integrates with many different AWS services
    • Suppor PCI DSS compliance

Root Account - created by default, shouldn’t be used or shared

Users - people within the organizations, and can be grouped. Users don’t have to belong to a group, and also can be belong to multiple groups

Groups - a collection of users under one set of permissions. Only contain users, not other groups

Roles - can be assigned to users, applications, and services to give access to AWS resources

AKA IAM roles, that will assign permissions to AWS services. Common roles: EC2 Instance Roles, Lambda Function Roles, Roles for CloudFormation

Policy - a (JSON) documnet that defines one or more permissions. It can be attached to a user, group or a role. The policy defines the permissions of the users. In AWS, the least privilege principle should be applied.

Practice Creating and Managing Users/Groups

  1. access user section

  2. create user

    1. provide user details

    2. grant user permissions

    3. review and create

  3. create user groups

    1. select group & click on create group

    2. Name the group, add useer and attach policy

      Scroll to the end of page and create group.

Alias

alias, after setting account with alias, IAM user can sign in using the alias address, can only be set under root account.

It can be viewed and changed on dashboard:

IAM Policy

Policy can be inherited from different group, i.e., if an user is in both group A and group B, then this user will have policy A from group A and policy B from group B attached to this user.

The format of policy looks like:


  "Version": "2012-10-17",
  "Statement": [
    
      "Effect": "Allow",
      "Action": "service-prefix:action-name",
      "Resource": "*",
      "Condition": 
        "DateGreaterThan":  "aws:CurrentTime": "2020-04-01T00:00:00Z" ,
        "DateLessThan":  "aws:CurrentTime": "2020-06-30T23:59:59Z" 
      
    
  ]

A policy is consists of:

  • version number - policy language version, always include “2012-10-17” (required)

    2008-10-17 exists on older policy, but do not use this value as its outdated

  • id: an identifier for the policy(optional)

  • Statements: one or more individual statements (required)

statements consists of:

  • sid: an identifier for the statement (optional)

  • Effect: whether allow/deny access

  • Principal: account/user/role to which this polic applied to

    required in resource-based policies

  • Action: list of actions this policy allows or denies

  • NotAction: all the actions except listed actions this policy allows or denies

    A statement must include Action or NoAction

  • Resource: list of resources to which the actions applied to

  • NoResource: similar to NoAction

    A statement must include Resource or NoResource

  • Condition: conditions for when this policy is in effect (optional)

IAM Password and MFA

Right now the password has default value, and can be changed under account settings:

MFA can be generated under users > security credentials:

Access key can be found below MFA.

Access Key

There a 3 way to access AWS:

  • AWS Management Console(website), protected by password + MFA
  • AWS Command Line Interface(CLI), protected by access keys
  • AWS Software Developer Kit(SDK), protected by access keys

Access keys are generated through the AWS console, the secret access key is only shown during the process of creation, if user loses it, the user will need to create it again.

Users manage their own access keys, DO NOT SHARE

Connect process:

  1. download and install CLI

    Download: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

    on Mac:

    $ curl "https://awscli.amazonaws.com/AWSCLIV2.pkg" -o "AWSCLIV2.pkg"
    $ sudo installer -pkg AWSCLIV2.pkg -target /
    
  2. Create access key using IAM User, DO NOT use root account for it.

  3. configure aws cli:

    ➜  ~ aws configure
    AWS Access Key ID [None]: ......
    AWS Secret Access Key [None]: ......
    Default region name [None]: us-east-1
    Default output format [None]:
    ➜  ~ aws iam list-users
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
        "Users": [
            
                "Path": "/",
                "UserName": "GA",
                "UserId": "........",
                "Arn": "arn:aws:iam::.......",
                "CreateDate": "2023-01-21T08:20:10+00:00",
                "PasswordLastUsed": "2023-01-21T11:30:22+00:00"
            
        ]
    
    

Alternative: AWS Cloud Shell (not global): https://docs.aws.amazon.com/general/latest/gr/cloudshell.html

IAM Security Tools

  • IAM Credentials Report (account-level)
  • IAM Access Advisor (user-level)

IAM Guidelines & Best Practices

  • Don’t use the root account except for AWS account setup
  • One physical user = One AWS user
  • Assign users to groups and assign permissions to group
  • Create a strong password policy
  • Use and enforce the use of Multi Factor Authentication(MFA)
  • Create and use Roles for giving permissions to AWS services
  • Use Access Keys for Programmatic Access (CLI/SDK)
  • Audit permissions of account with the IAM Credentials Report
  • Never share IAM users & Access Keys

Questions:

  1. In AWS, what is IAM used for (choose 3)

    • Assigning permissions, to allow and deny access to AWS resources
    • Managing access to AWS Services
    • Creating and managing users and groups
  2. Which of the following is NOT a feature of IAM

    • Allows you to set up biometric authentication, so that no passwords are required
  3. Which IAM entity can you use to delegate access to trusted entities such as IAM users, applications, or AWS services such as EC2?

    • IAM Role

    You can use IAM roles to delegate access to IAM users managed within your account, to IAM users under a different AWS account, to a web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2), or to an external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker. IAM Roles.

  4. True or False? AWS recommends that EC2 instances have credentials stored on them so that the instances can access other resources (such as S3 buckets).

    • False
  5. Which is the best way to enable S3 read-access for an EC2 instance?

    • Create an IAM role with read-access to S3 and assign the role to the EC2 instance
  6. Which of the following can you use to test that an IAM policy attached to a user, group or role works as expected?

    • IAM Policy Simulator
  7. What is an IAM Policy?

    • A JSON document which defines one or more permissions
  8. What is a proper definition of an IAM Role?

    • An IAM entity that defines a set of permissions for making requests to AWS services, and will be used by an AWS service
  9. Which of the following is an IAM Security Tool?

    • IAM Credentials Report
  10. Which answer is INCORRECT regarding IAM Users?

    • IAM Users access AWS services using root account credentials
  11. Which of the following is an IAM best practice?

    • Don’t use the root user account
  12. What are IAM Policies?

    • JSON documents that define a set of permissions for making requests to AWS services, and can be used by IAM Users, User Groups, and IAM Roles
  13. Which principle should you apply regarding IAM Permissions?

    • Grant least privilege
  14. What should you do to increase your root account security?

    • Enable Multi-Factor Authentication (MFA)
  15. IAM User Groups can contain IAM Users and other User Groups.

    • False

    IAM User Groups can not be part of other User Groups.

  16. An IAM policy consists of one or more statements. A statement in an IAM Policy consists of the following, EXCEPT:

    • Version

    Version is part of the IAM Policy itself, not the statement.

  17. According to the AWS Shared Responsibility Model, which of the following is AWS responsibility?

    • AWS Infrastructure

以上是关于AWS - IAM的主要内容,如果未能解决你的问题,请参考以下文章

AWS IAM 政策问题

添加IAM用户安装AWS CLI

使用授权方后 AWS Amplify API Gateway cors 错误:aws_iam

使用 AWS CloudTrail 记录 IAM 和 AWS STS API 调用

AWS IAM 用户限制(如果超过)

AWS: IAM - Identity Access Management