Secure services and resources with AWS Identity and Access Management (Part 3)

By /

If you would like to read the other parts in this article series please go to:

Introduction

In this multi-part article, we’re discussing how to use AWS Identity and Access Management (IAM) to create and manage users and groups and assign permissions to them so as to granularly control how they can access your AWS resources. In Part 1, we talked about IAM basics: how it works, users and groups, authentication and credentials. We then introduced the concept of IAM policies.In Part 2, we delved more deeply into the subject of IAM policies, permissions, and roles, as well as how to integrate IAM into a federated environment.

Using the AWS Management Console to work with managed policies

You’ll remember from our discussion in Part 2 that there are two types of policies: managed and inline, and that managed policies can be either AWS managed or customers managed. You can use the AWS Management Console to attach or detach managed policies to or from users, groups or roles (user-based entities) via the Management Console.

Attaching and Detaching Managed Policies

You’re limited somewhat in the number of managed policies that you can attach to one of these entities. You can only attach up to two managed policies to each entity. Here’s how you attach a managed policy to an entity:

  1. The first step is to log onto the AWS Management Console with your AWS account credentials.
  2. Next, open the IAM console, which you can do through the web interface at https://console.aws.amazon.com/iam/. If you haven’t logged onto the AWS Management Console first, at this point you’ll be prompted to log on or create an AWS account.
  3. Now in the IAM console’s navigation pane on the left-hand side, select Policies as shown in Figure 1.

Image
Figure 1

  1. The console will display a list of your policies. You can use Filter and Search to make it easier to find the policy that you’re looking for.
  2. When you find the correct policy, click the check box beside its name.
  3. Now click Policy Actions.
  4. Click Attach.
  5. Next you will need to specify the user, group or role to which you want to attach this policy. Again, you can use Filter and Search to aid you in find the right one. Select the appropriate entities.
  6. Click Attach Policy.

That’s the basic procedure; it’s that easy. To detach a policy, you follow essentially the same steps, substituting Detach for Attach.

Creating Customer-managed policies

Remember that you have more control to customize your policies and define the sets of permissions you want to attach to entities if you use customer-managed policies. The first step is to create them. Here’s how you go about doing that:

  1. As above, log onto the AWS Management Console and then the IAM console and click Policies in the left navigation pane.
  2. This time, select the Create Policy option.
  3. Now you need to select how you want to create the policy. There are three different ways to do this, varying in difficulty from easiest to most difficult. You can select to Copy an AWS Managed Policy from the existing policies list. You can create a policy using the Policy Generator to choose the options you want from a list, or you can Create Your Own Policy by pasting or typing the policy document into the editor tool.
  4. After you select the way that you want to create the policy, then you can customize it in the editor.
  5. Once you have the policy the way you want it, you need to validate it. Just click Validate Policy. If there are any errors in the syntax, etc., they will be displayed in a red box at the top of the screen so you can easily spot and correct them. The policy will be reformatted automatically if you have the Use autoformatting option checked.
  6. After the policy has been validated, then all you have to do is click the Create Policy button and this saves your policy.

Working with your managed policies

You can edit your customer-managed policies (you can’t edit AWS-managed policies). If you want to change the permissions that you’ve assigned in a policy, follow the same steps as above to find the policy that you want to edit, and then click Edit in the right-hand content pane (Policy Document row). You’ll need to validate it again before saving it. Note that you have a choice as to whether to apply the changed policy to the entities that are already attached to it, or save the changes without applying it to those currently attached entities. If you want to apply it to them, check the Save as default version option.If you don’t, clear that checkbox.

A default version means that version will apply to every user, group or role that is attached to the policy. You can set a policy as the default version without editing the policy, by scrolling to the Policy Versions section and checking the Set as Default check box. IAM saves the previous versions so that you can go back to them, as we discussed above, but you can delete a version if you want to.

To do this, just follow the steps above to find the policy for which you want to delete a version, scroll to the Policy Versions section, click in the check box beside of the version you want to delete, and click Delete. Remember that AWS-managed policies don’t have versioning, but you can delete the whole policy. This is done by finding the policy you want in the AWS Management Console as described above, selecting Policy Actions and then clicking Delete.

Using the command-line interface (CLI)

At one time, Windows admins considered the graphical interface to be king. Those who spend most of their time in UNIX generally preferred to work in the “dark place” – at the command line. Today, Windows server administration has become more and more a province of the PowerShell pros, so even Windows IT people have found that in many cases, it’s faster and more efficient to perform administrative tasks via the command line.

Of course, there are disadvantages too. It’s easy to make a typo when you enter a long string of commands, rendering the whole thing invalid and resulting in an error message. Nevertheless, if you prefer working with your AWS IAM managed policies from the command line, Amazon has you covered. Here are some of the more commonly-used commands for performing policy management tasks:

  • list-policies to get a list of your managed policies.
  • get-policy to retrieve detailed information about a managed policy
  • list-policy-versions to see a list of the different versions of a managed policy
  • get-policy-version to retrieve the policy document and detailed information about a particular version of a managed policy
  • list-entities-for-policy to find out which of the users, groups and roles are attached to a particular managed policy
  • list-attached-user-policies to find out which managed policies are attached to a particular user
  • list-attached-group-policies to find out which managed policies are attached to a particular group
  • list-attached-role-policies to find out which managed policies are attached to a particular role
  • attach-user-policy to attach a policy to a user
  • attach-group-policy to attach a policy to a group
  • attach-role-policy to attach a policy to a role
  • detach-user-policy to detach a policy from a user
  • detach-group-policy to detach a policy from a group
  • detach-role-policy to detach a policy from a role
  • create-policy to create your own customer-managed policy
  • create-policy-version to edit a customer-managed policy
  • set-default-policy-version to set the default version of a customer-managed policy
  • delete-policy-version to delete a version of a customer-managed policy
  • delete-policy to delete a customer-managed policy

IAM Policy Simulator

If you’ve ever worked with permissions and policies in other aspects of IT, you know that sometimes it can be difficult to predict what the effect of the different policies attached to a particular user, group or role will be. You might be familiar with the Windows Resultant Set of Policy tool (RSoP), a management console snap-in that you can run to help you understand what the cumulative effect of multiple Group Policy Objects (GPOs) on a user or computer will be.

AWS IAM has something similar, the IAM Policy Simulator. It allows you to test the effects of you IAM policies that are attached to your users, groups and roles without actually applying them. This way, you can ensure that the policies have the effect that you intended as far as allowing or denying access to a particular entity. You can find out more about how the IAM Policy Simulator works and how to use it on the AWS web site.

Summary

In this, Part 3 of our series on AWS Identity and Access Management (IAM), we looked at how to create and manage IAM policies both using the graphical interface of the IAM console and using the command-line interface. Next time, in Part 4, we’ll wrap up the discussion with some tips on logging IAM events with AWS CloudTrail and how to troubleshoot IAM problems.

If you would like to read the other parts in this article series please go to:

About The Author

Debra Littlejohn Shinder is a technology and security analyst and author specializing in identity, security and cybercrime, utilizing her past experience as a police officer and police academy/criminal justice instructor. She has written numerous books and articles for web and print publications and has been awarded the Microsoft MVP designation for fourteen years in a row.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top