AWS IAM:

Definition of IAM
Components of AWS IAM

Anything you create from an aws service is a resource and its own by you.
Every resource you create has an identity in that account which is called ARN : amazon
resource name

AWS

AWS Account : Is a container that is used by aws customers to access Aws SERVICES
FROM WHICH THEY WOULD CREATE AND MANAGE THEIR RESOURCES.

⇒ Email address
⇒ Password
⇒ Billing details

====> Root user for that account: Owner of the aws account and it can do everything in
that account.

NB: As a security practice do not use the root user to manage the account …Do not share the
root user credentials with anyone.

When an aws account is created it is assigned an accountID

AWS IAM → Identity and Access management: IAM is a service that governs
authentication and authorisation into an AWS account.

Authentication: Authentication is the process of verifying and validating that you are who
you say you are.
The ability to validate someone's identity.

====> AWS IAM Has 4 COMPONENTS :

- IAM user
- IAM group
- Iam policy
- Iam role

====> Authentication into an AWS Account CAN ONLY be performed by AWS Identities..
Identity: An identity is an entity created in IAM that has the ability to authenticate into an aws
account.
There are 3 identities in AWS IA: User , group and role.

⇒ IAM user: This is an identity that is created and provided to someone or an application so
that it can authenticate into an aws account.
- Through the management console (Username and password )
- Programmatic access ( Access keys and secret keys)

⇒ IAM Group: A group is used to manage IAM users.

A user can be attached to a group and detached from a group. A user can belong to
multiple groups.
When a user is in a group any permission assigned to the group, would be inherited
by the user which is in the group. When the user is taken off from the group, all
group inherited permissions would be lost.

Example: In a scenario where you have users, performing the same task, it would
be good to have all of them into a group …instead of assigning the same permission
to the users individually, the permissions can be assigned to the group and the users
would inherit the permission.

How do we give identities Permissions on AWS? How do we authorize identities to

perform action on services in the account?

Authorisation : This is the process of giving identities permissions to perform their job
functions. In the case of AWS, Authorization is the process of assigning policies to identities so
that they can perform actions on services and resources in the account.

⇒ Policy: A policy is a document written in JSON that defines the level of permissions
an identity has on an aws resource in that account. A policy can be used to allow or deny
actions from being performed to a service or resource.

-> Identity based Policy:

This is a policy that is attached to AWS identities.

There are 3 types of identity based policies:

- AWS managed policy: This is a policy that is created and managed by AWS. It is
available in all aws accounts, we can attach these policies to our identities. We cannot
change the content , only AWS can because it is owned by aws.
 - Customer managed Policy: This is a policy that you and the customer would create ,
own and manage. This policy can be attached to multiple identities.
- Inlined Policy: This is a policy created by the customer and assigned to a single
identity. The lifetime of the policy is dependent on the lifetime of the identity the policy is
attached to. That if the identity is deleted , the policy is automatically deleted.

====>> Components of an Identity Policy Document:

{
“version” : “the version defines the version of JSON”
“Statement”: “defines what the policy”
{

SID : “id of the statement”

effect: Allow
action:
resource: id of the resource or service that the above actions are allowed or denied to
be performed on
### conditions : determines if the policy would take effect or not. So unless the condition
is met before the policy would take effect.

→ Resource based policy:

A resource based policy is a policy that is attached to aws

resources other than IAM identities. The purpose of this policy
is another way to control access to the resource the policy is
attached to. There are only a few services whose resources
permit the use of resource based policies…like s3 buckets,
sqs queues, sns topics , lambda functions etc…

Components of the resource based policy:

====>> Components of an Resource Policy Document:

{
“version” : “the version defines the version of JSON”
“Statement”: “defines what the policy”
{

SID : “id of the statement”

effect: Allow
Principal: the identities that are allowed or denied from performing the actions on the
resource the policy is attached to.
action:
resource: id of the resource or service that the above actions are allowed or denied to
be performed on
### conditions : determines if the policy would take effect or not. So unless the condition
is met before the policy would take effect.

The principal can be , aws identities or aws accounts.

<<<====>> ROLES: <<=======>>

A role is an identity on aws.

A role is an identity that contains permissions that can be used for the following:

1) Roles are attached to resources other than identities in order for them to
communicate with other aws services.
2) A role can be assumed by other aws identities to perform actions in an account or in
another account. An identity can only assume a role through STS ( SECURE TOKEN
SERVICE)
STS, is a service that grants temporal access…
3) A role can be assumed by external identities in order to perform actions on resources in
aws. Identities from other sources other than AWS. For example, identities from
okta , active directory , google workspace, github etc.
<<<================>> AWS IAM BEST Practices=====>>

1) Manage IAM users in IAM groups.

2) Enable MFA for all IAM users who have Console based access to the aws account
MFA: Multi factor Authentication: This is a practice that requires users to provide multi
forms of identity( 2 or more ways) before they are allowed to authenticate to a system or to an
account.
3) Manage our accounts in Organizational Units.
4) AWS recommends the use of AWS SSO (Identity center) as compared aws IAM users.
5) Practice the principle of least privilege: “ Identities should only be given the minimum
permissions to carry out their job function”
6) Make use of Customer policies as compared to AWS managed Policies.

Hands On Exerciss: