Blog 8-SP21

AWS Identity and Access Management and Other Stuff Regarding It

We all know that Amazon Web Services offer a wide array of tools and services that ease most general IT tasks. It’s important to understand that Amazon has something called a Shared Respnsibility Model. Basically, you the user are responsible for maintaing the integrity of your data, and Amazon is responsible for the protection of said data while it’s in their services. One of the first ways to ensure proper data security, User groups and policies need to be applied within AWS. This is most often done in the AWS Identity and Access Management module.

The AWS Identity and Access Management service allows you to control who can access certain resources, which resources can be accessed, and how resources can be accessed. And geuss what… it’s free! One of the handful of services that Amazon provides to its users for absolutely 0 dollars. Ya kknow what they say, “if it’s free, it’s for meee”.

AWS IAM: Major Components

• IAM User, a person or application that can authenticate with an AWS account
• IAM Group, a collection of IAM users that granted identical authorization
• IAM policy, a defines which resources and services can be access and the level of access to each resource
• IAM role, a tool that allows you to grant a set of temporary permissions for making AWS service request, kinda like sudo in Linux

IAM Policies

Let me give you a little breakdown on the policy situation. An IAM policy is a document that defines persmissions for a user and/or user group. You can get super nitty and gritty with it. How? Because of of the two types of policies that can be implemented, identity-based and resources-based.

The identity-esque policy can be attached to any IAM “entity”. Meaning that identity based policy you just typed up can apply to an IAM User, Group, or Role. From here, you can speicfy what actions can and cannot be performed. You can also apply this policy to multiple entities, vice-versa.

The other kind of policy is a Resource-based policy. With such a cryptic title I can only imagine that this type of policy can be applied to a specific AWS function. Wow.

AWS IAM Multi Factor Authentication

This tool will require your AWS users to have an additional form of making sure they are who they say they are, essentially. MFA will definitely increase the security of your system, by just making it more difficult to break into an AWS account. The additional authentication method could be a specific MFA item given to the user. You can use Google Authenticator, or a U2F security key device. It’s quite a versatile tool.

Best Practices

When it comes to IAM, and any other user & policy management system, the best practice is to follow the Principle of Least Priviledge. You see, the idea is that when creating a policy to a user or group of users it is best to provide with the least amount of permissions. This will narrow down that user’s or groups’ workflow while simultaneously narrowing the chance of a security breach causing major damage to your system. This is one of the fundamentals of computer information security, so it’s pretty important.