AWS 101: How AWS Identity and Access Management (IAM) Works
Cloud security is one of the biggest concerns organizations have when considering a move to the cloud. Public cloud platforms like Amazon Web Service (AWS) make this easier with free web services to protect you.
According to a recent Forrester report, 80% of security breaches involve privileged credentials.
Like most cloud providers, when it comes to cloud security, AWS relies on a shared responsibility model to keep data safe in the cloud. This means that while they ensure security “of” the cloud, the customer must maintain the security “in” the cloud. This AWS cloud security model reduces the data breach threat and helps create a secure perimeter that reduces the amount of data that is leaked, stolen or deleted.
What is AWS Identity and Access Management?
In this installment of AWS 101, we'll examine how Amazon Web Services takes another step to secure your data. Identity and Access Management (IAM) is a free web service that helps you securely control user access to AWS resources. IAM controls which users are authenticated (signed in) and authorized (have permissions) to access resources. This solves the issue of storing names and passwords directly in applications or saving credentials as plain text, not ideal practices. Authentication is the equivalent of being signed in to AWS; authorization is the permission to perform an action in AWS. IAM allows you to create and manage users and groups — and assign permissions to allow or deny their access.
As a foundational service that is PCI DSS compliant, IAM allows the Principle of Least Privilege to be implemented. This principle states that a user should have the exact amount of permissions needed to perform a task, and nothing more. With IAM, you can give other users access to your AWS account without sharing root use credentials or access keys, and you can restrict their access in a granular way. Since IAM also integrates with CloudTrail, the AWS API logging service, you can also monitor and record user actions.
Implementing IAM in AWS
Getting started with IAM is simple. IAM is located in the AWS Management Console. You can access it through a command-line client, an SDK or an HTTPS API. Within IAM, you can create users, roles, policies and groups. A recommended best practice is that your root user — the user that was created when you registered for an AWS account — not be used for day-to-day actions within your account, but rather only in an emergency situation. This is because the root user has access to every part of the account, compromising your security posture if the credentials are lost or stolen. As part of the Principle of Least Privilege, the best practice is that you create one or more IAM users with the minimum set of permissions needed to perform their job.
For example, you might create an admin user with full access to the console, but not the authorization to perform command-line operations. This account should not be used for your everyday or administrative tasks. Instead, it should be used only to create your first IAM user. After that, secure the root user credentials, and use them only when performing necessary tasks like account and service management.
Once assigned, a principal user that has been authenticated through IAM can perform actions and access resources. These functions are governed by IAM policies that include versions and statements.
Consider the following scenario in which IAM Amazon S3. This is also known as the Amazon Simple Storage Service, an object storage system. Suppose the admin user has permission to create IAM users and groups. When employees need to create their own data and also read and write data stored in this S3 bucket, the admin user creates a group with the appropriate permissions attached to it and adds users to that group. Next, the root user sets up policies and assigns permissions to those employees.
In your IAM policies, you are required to give these employees permission for using Amazon S3, as this does not automatically happen. When the admin creates a bucket for employees, they are not given permission to perform other actions on that bucket, which is where IAM policies fill this gap.
IAM is a powerful tool to increase security “in” the cloud. AWS provides this free service with your account, so it’s beneficial to understand its purpose and set it up properly to keep your data safe. With increased threats, securing your public cloud is your responsibility, not just that of the provider.
If you haven't checked out the other blogs in our AWS 101 series, don't miss taking a look!