The primary AWS security control mechanism is the AWS Identity and Access Management (IAM) service. It controls who is authenticated (who has a known identity) and authorized (who has permissions to access) to use a resource.
You can create individual IAM user accounts within your account instead of sharing the AWS root user credentials with others. Each such user would have his/her own password and individual access keys.
You can also group IAM users into an IAM group and attach IAM policies to the group.
An IAM service role is a role that an AWS service, such as EC2, assumes. An EC2 instance profile is a container for an IAM role that provides your application running on an EC2 permissions to access other resources.
The principal value of the IAM is its ability to grant access to a resource without sharing passwords or access keys, thus providing stronger cloud security.
The service is based upon IAM Policies:
- An IAM policy is a JSON document providing authorization to perform an action on a resource for a principal
- A resource is an entity you can create in AWS, e.g. a DynamoDB table or an EC2 instance – all resources are uniquely identified by Amazon Resource Name (ARN), e.g. arn:aws:rds:us-east-2:123456789012:db:my-mysql-instance-1 for an RDS MySQL instance
An action is an operation to perform on a resource, such as to access an S3 bucket
The principal is the user, group, role, or application making the request
- The environment data is the additional context of the operation, e.g. IP address, user agent etc
An IAM policy can be either associated with an identity or a resource:
- Identity-based IAM Policies are associated with an IAM user, group, or role – see the examples of IAM identity-based policies
- Resource-based IAM Policies are attached to a resource, such as an S3 bucket – check the list of AWS services supporting the resource-based policies
The evaluation logic for IAM policies is as follows:
- By default, all requests are denied
- An explicit allow overrides the default
- A permission boundary overrides the allow
- Permission boundary can limit maximum permission a principal can have
- If a permission boundary applies, the boundary must allow the request – otherwise it’s implicitly denied
- An explicit deny overrides any allow
For more information about IAM policies and AWS security, we recommend watching AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) – YouTube.
The key reference is Policies and permissions in IAM – AWS Identity and Access Management (amazon.com).