Getting Started with AWS (Part 4)

By /

If you would like to read the other parts in this article series please go to:

Introduction

So far in this series we have described the free usage tier of Amazon Web Services (AWS) and how you can sign up for it so you can test drive AWS for 12 months. We then examined the various management and development tools provided by Amazon for creating and managing cloud resources on AWS. Then we described some steps you can use to secure your AWS account in case your account becomes compromised. This present article introduces you to AWS Identity and Access Management (IAM), a web service that enables you to create and manage users and assign user permissions for your AWS cloud environment.

Why IAM?

System administrators of Windows Server-based environments know that using the default Administrator account for performing day-to-day tasks is not a very good idea. It’s better instead to create individual accounts for each admin-level user and then make these accounts members of the admin-level or operator-level groups for the domain or on specific servers as needed so they can perform the tasks they need to be able to perform on the servers.

In the same way, allowing ordinary users to log on to their Windows client computers using the default Administrator account on their machine is also a bad idea. The reason it’s bad of course is that if the user should be browsing the web or checking email while logged on as Administrator and they download a virus or open a malicious attachment, their system can be compromised. And if an attacker gains admin-level privileges on a computer, the only way to be sure the problem is resolved is to wipe the machine and reinstall everything from scratch.

Windows administrators also know that it’s better to assign permission to groups instead of to users when you want to control how much access individual users have to particular resources in your environment. In other words, best practice for managing identity and granting resource access in Microsoft Active Directory environments is as follows:

  1. Create different groups for different purposes, for example Full Admins, Database Admins, Server Operators, Support Staff, Standard Users, Guest Users, and so on. Sometimes you can repurpose an existing built-in group for such purposes, but often it’s better to create your own groups instead.
  2. Assign the appropriate permissions to each group to grant members of the group access to different network resources such as shared folders, SharePoint sites, printers, scanners, web applications, web portals, and so on.
  3. Make users members of the appropriate groups in order to grant the users the level of access they need to resources in order for them to be able to do their assign job in the organization. You can also make computer accounts members of the appropriate groups to control the flow of resources within your network as well.

As the diagram in Figure 1 illustrates below, AWS Identity and Access Management (IAM) functions in a similar way to what has been described above for Active Directory except now we’re talking about managing identities and accessing resources that are in the cloud instead of in a traditional on-premises Active Directory environment. But IAM uses Amazon AWS technologies, so while it’s similar to Active Directory in some respects it functions differently and is a different technology under the hood. It’s possible however to federate your AWS environment with Active Directory Federation Services (AD FS) by linking Security Assertion Markup Language (SAML) providers with IAM roles. This can be useful for enterprises that want to integrate their on-premises Active Directory environment with applications and services running in AWS, but it’s an advanced topic that we’ll have to leave for a future article here on InsideAWS.com. In the meantime let’s learn the basics about IAM and learn how to use it to get started off on the right foot with our AWS free usage tier environment.

Image
Figure 1: Managing identity and access to AWS resources with IAM.

Understanding IAM

First off, here are some of the kinds of tasks you can perform using IAM:

  • You can create IAM users and groups and make users members of groups. A user in IAM parlance is an entity that either represents a person or an application or service running in the AWS cloud. In other words, a user is an identity with credentials that represents something so that something can have permissions assigned in order that it can do something with AWS. You can compare this with Active Directory which has user accounts, service accounts, computer accounts and so on.
  • You can assign long-term security credentials to users and to groups. These security credentials are unique and include passwords, access keys and key pairs as follows:
    • A password allows the user to securely sign in to AWS and access the AWS Management Console and other resources for performing the tasks they have permission to perform.
    • An access key allows the user to use AWS application programming interfaces (APIs) to issue service requests.
    • A key pair and X.509 certificate enables the user to utilize Amazon CloudFront APIs for managing content distribution.
  • Long-term security credentials can be assigned to users in a couple of different ways:
    • Through the AWS Management Console
    • With the AWS Command-Line Interface (CLI)
    • By using AWS APIs
  • Long-term security credentials can also be revoked when they are no longer needed.
  • For enhanced security IAM also lets you implement Multi-Factor Authentication (MFA). This means for example that you can require that a user who signs into an AWS resource must provide two types of credentials:
    • Their IAM user name and password
    • A token such as a smartcard, keyfob or virtual smartcard
  • You can also assign temporary credentials to users by creating and assigning roles. Such credentials expire after a predefined period of time and are useful for example when you need to grant an application temporary access to cloud resources.

Some other things you need to know about IAM include:

  • IAM is secure by default. What this means is that when you create your new AWS account, there are initially no IAM users present in your AWS environment. And when you create new users, they initially have no access to any resources in your AWS environment until you explicitly grant them permissions, which is usually done by assigning permissions to groups and then adding the users to the appropriate groups.
  • You must create IAM users if you want to do any of the following in your AWS environment:
    • Use the AWS CLI
    • Use roles
    • Use federation with Active Directory, Google, Facebook, or another third-party identity service.
    • Use web identity federation
  • IAM permissions are assigned through policies. To grant a user the permission they need to access an AWS resource and perform some task with the resource, you attach a policy to the user or, preferably, attach the policy to a group and then make the user a member of that group. IAM policies can specify any or all of the following:
    • An action that the user or group can perform.
    • The resources that the action can be performed upon.
    • Whether to allow or deny the action to be performed.
    • Any additional conditions that must be in place before the policy can take effect.
  • IAM permissions are usually assigned to groups in order to provide users that are members of those groups (regardless of whether the users are actual people or are applications or services or systems or whatever running in the cloud) with some specific level of access to AWS resources. Some typical examples of IAM users include:
    • Privileged administrators who manage portions (or all) your AWS environment and its resources.
    • End-users who need access to your applications and services running in AWS.
    • Systems that need to use AWS APIs programmatically access applications and services running in AWS
  • IAM permissions can be very granular in what they specify. This means for example that you could use IAM to allow a particular user to have a particular level of access to a particular Instance running in the Amazon EC2 cloud. But granularity can also be a pain because you don’t want to have to assign dozens of permissions to a user just so they can have some general level of access to a range of different applications running on various AWS services. So to balance the capabilities of granularity IAM also provides templates for assigning permissions as you’ll see in the next article of this series.
  • Finally, IAM is free, which means you can use it with all of the AWS free usage tier service offerings without the fear of incurring any costs.

Conclusion

Now that we understand a bit about the basics of IAM, the next article in this series will walk you through the steps of creating users and groups and assigning permissions using policies.

If you would like to read the other parts in this article series please go to:

About The Author

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top