AWS Made Easy

Tip #10: How can I use IAM policies to secure my AWS cloud?

An overview of what IAM policies are, and how you can use them

The primary AWS security control mechanism is the AWS Identity and Access Management (IAM) service. It controls who is authenticated (who has a known identity) and authorized (who has permissions to access) to use a resource.

You can create individual IAM user accounts within your account instead of sharing the AWS root user credentials with others. Each such user would have his/her own password and individual access keys. 

You can also group IAM users into an IAM group and attach IAM policies to the group.

An IAM service role is a role that an AWS service, such as EC2, assumes. An EC2 instance profile is a container for an IAM role that provides your application running on an EC2 permissions to access other resources.

The principal value of the IAM is its ability to grant access to a resource without sharing passwords or access keys, thus providing stronger cloud security.

The service is based upon IAM Policies:

  • An IAM policy is a JSON document providing authorization to perform an action on a resource for a principal
  • A resource is an entity you can create in AWS, e.g. a DynamoDB table or an EC2 instance – all resources are uniquely identified by Amazon Resource Name (ARN), e.g. arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance-1 for an RDS MySQL instance
    An action is an operation to perform on a resource, such as to access an S3 bucket
    The principal is the user, group, role, or application making the request
  • The environment data is the additional context of the operation, e.g. IP address, user agent etc

An IAM policy can be either associated with an identity or a resource:

The evaluation logic for IAM policies is as follows:

  1. By default, all requests are denied
  2. An explicit allow overrides the default
  3. A permission boundary overrides the allow
    1. Permission boundary can limit maximum permission a principal can have
    2. If a permission boundary applies, the boundary must allow the request – otherwise it’s implicitly denied
  4. An explicit deny overrides any allow

For more information about IAM policies and AWS security, we recommend watching AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) – YouTube.

The key reference is Policies and permissions in IAM – AWS Identity and Access Management (amazon.com).

Email
Twitter
Facebook
LinkedIn

Leave a Reply

Your email address will not be published.

Related Tips & Tricks