Wednesday 11 May 2022

AWS Identity and Access Management (IAM)

AWS users:
  • Root user - account owner that performs tasks requiring unrestricted access
    • created when you sign up for AWS for the first time
    • uses e-mail address and password
    • has complete admin privileges
    • can be used to manage any service within AWS but this is not recommended; this user is like root user on Unix systems or admin on Windows and should be used only for special tasks
    • used to log in to AWS Management console where it can create other users (IAM users); this is actually recommended use of root user
  • IAM user - user within an account that performs daily tasks 
    • 2 types of access can be configured for it:
      • Access to the AWS Management Console
        • requires username and password
      • Programmatic access used to interact programmatically in Terminal on Unix and PowerShell in Windows
        • requires Access Key ID and Secret Access Key
        • can't be used to log in to AWS Management Console

When user is created, AWS assigns to it the least privilege permissions. Permissions are assigned to users and user groups. Permissions define what user can and can't do. 

Permissions are defined within IAM policies. Permissions are not attached to users directly but via policies. Policies get attached to users and user groups. 

A policy defines the AWS permissions that can be assigned to a user, group or role.

IAM policies can be:
  • AWS-managed
  • custom (customer-managed)
Policy Example: AdministratorAccess policy allows admin access to all resources and services. It is managed by AWS.

IAM policies are defined in JSON format: IAM JSON policy elements reference - AWS Identity and Access Management. IAM policies can be created and managed in visual editor and using JSON.

AdministratorAccess policy:

    "Version": "2022-05-11",
    "Statement": [
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"

Asterisk (*) means "all". Allow all actions on all resources.

There are many AWS-managed policies. Each of them is meant to be attached to a user with specific job role. Examples:
  • AdministratorAccess - administrator
  • Billing - view billing information, setup and manage payments
  • DatabaseAdministrator - DB admin
  • NetworkAdministrator - network admin
  • ViewOnlyAccess - view-only user

If multiple users need to have same permissions, they need to have attached multiple policies e.g. AmazonEC2FullAccess and AmazonS3FullAccess. Instead of attaching policies to each user, we can create IAM User Group, make these users its members and then attach these policies to this group. User groups allow managing policies of multiple users at once. Using groups is a best-practice way to manage users' permissions by job functions, AWS service access or your custom permissions. We can still attach policies to individual users.

How to manage permissions of services? E.g. what if EC2 instance needs to access S3 bucket. By default, just like users, resources don't have permissions to access other resources. Unlike users, we can't attach IAM policies to resources. We need to create IAM roles. IAM roles define access permissions for a resource. We need to create e.g. S3Access role and attach to it IAM policy AmazonS3FullAccess that we used for the user group. Then we attach this role to EC2 instance of interest.

IAM roles are a secure way to grant permissions to entities that we trust:
  • IAM users in another account
  • Application code running on an EC2 instance that needs to perform actions on AWS resources
  • An AWS service that needs to act on resources in your account to provide its features
  • Users from a corporate directory who use identity federation with SAML

IAM roles are used to provide access:
  • from one AWS service to another
  • to IAM user belonging to another AWS account
  • to applications to interact with services in AWS
  • to users managed outside AWS e.g. by Active Directory
Example of custom-made policy: the one which allows user to create and delete tags on EC2 instance:


    "Version": "2022-05-11",
    "Statement": [
            "Effect": "Allow",
            "Action": [
            "Resource": "*"

Creating a User and User Group in AWS Management Console

Log in to AWS Management Console with your root account.

Security, Identity and Compliance >> IAM
IAM service does not depend on the region so region is set to Global. Users, groups and roles are available in all regions.

Account Management >> Users >> Add User
We need to provide: 
  • User name
  • Desired Access type (both can be selected):
    • Programmatic access - enables access key ID and secret access key for the AWS API, CLI, SDK and other development tools
    • AWS Management Console access - enables a password that allows users to sign-in to the AWS Management Console
      • Require password reset - enable so user must create a new password at next sign-in. Users automatically get the IAMUserChangePassword policy to allow them to change their own password.
Next >> Permissions

Set permissions has 3 tabs:
  • Add user to group
  • Copy permissions from existing user
  • Attach existing policies directly
Next >> Tags

IAM Tags are key-value pairs you can add to your user. Tags can include user information such as an e-mail address, or can be descriptive, such as a job title. 

Next >> Review >> Create User

Add user - Success page: this is the only place and time when we can see/access/download the secret access key. We can download it within .csv file. 

Account Management >> Users: select user => Summary page
Summary page tabs:
  • Permissions
    • Add permissions (button); this can be done in 3 ways:
      • Add user to group
        • Create Group (button); shows list of all policies; we need to check those that we want to be attached to this group and then press button "Create group"
      • Copy permissions from existing user
      • Attach existing policies directly
        • check the desired policy 
    • Policies list:
      • for each policy we can see policy summary and JSON
  • Groups
  • Tags
  • Security Credentials
  • Access Advisor

Access Management >> Groups, select group => Summary page

Summary page has 3 tabs:
  • Users
  • Permissions
    • Attach Policy (button)
  • Access Advisor

Creating a Policy in AWS Management Console

Access Management >> Policies
Page shows:
  • Create Policy button - for creating a custom policy
    • Create Policy page has 2 tabs:
      • Visual Editor
        • We need to choose the service that the policy will be applicable for e.g. EC2
        • We then need to choose actions allowed in chosen service
          • Access level:
            • List
            • Read
            • Tagging
            • Write
            • Permissions management
        • We then need to choose resources this policy can be applied on
      • JSON
    • Review: 
      • set the name of the policy
      • set the description of the policy
  • list of all existing policies

Creating a Role in AWS Management Console

Access Management >> Roles; main page contains:
  • Create role (button)
    • Select type of trusted entity:
      • AWS Service (EC2, Lambda, ...) - allows AWS service to perform actions on our behalf e.g. EC2 or Lambda to call AWS services on our behalf
      • Another AWS account
      • Web identity (Cognito or OpenID provider)
      • SAML federation (corporate directory)
    • Add tags
    • Review
  • list of all roles

Programmatic Access

AWS CLI is an open source tool that allows interacting with AWS services using command line tools like Unix shell or Terminal and PowerShell in Windows. 

Installing AWS CLI on Mac

To verify installation:

% which aws

% aws --version
aws-cli/2.6.3 Python/3.9.11 Darwin/20.5.0 exe/x86_64 prompt/off

Configuring AWS CLI

% aws configure
AWS Access Key ID [None]: 
AWS Secret Access Key [None]: 
Default region name [None]: 
Default output format [None]: 

AWS Access Key ID and Secret Key are those that are downloaded when user was created. ID can be visible after that but secret key can be found only in downloaded file, it can be unveiled in AWS Management Console. 

For default region name we might want to put geographically closest region to our location. 

Default output format can be yaml, JSON, text or table.
$ ls  /home/bojan/.aws
config  credentials
$ cat  /home/bojan/.aws/config
region = eu-west-1
output = json

$ cat  /home/bojan/.aws/credentials
aws_access_key_id = ABC...DEF
aws_secret_access_key = DFCdfsg...sdceD

To check what region has been set:
$ aws configure get region 
To check what Access Key ID and Secret Key have been set:
$ aws configure get aws_access_key_id

$ aws configure get aws_secret_access_key
How to maintain multiple AWS accounts on the same machine?
We need to use profiles. As we can see in the config files above, default is the default profile. To add a profile named e.g. profile2:

$ cat  /home/bojan/.aws/credentials
aws_access_key_id = ABC...DEF
aws_secret_access_key = DFCdfsg...sdceD

aws_access_key_id =

In order to use profile2 we need to use --profile switch to specify it
$ aws [command] [sub-command] --profile profile2

To avoid repeating this, we can set AWS_PROFILE environment variable to desired profile:
$ export AWS_PROFILE=profile2


AWS CLI command syntax:

$ aws
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

<command> is usually a service we want to interact with e.g. iam
<subcommand> specifies which operations to perform e.g. create-user

Example: creating a user

$ aws iam create-user --user-name test-user-1
    "User": {
        "Path": "/",
        "UserName": "test-user-1",
        "UserId": "AIDBBQ3OFFXCBT3AQWDK7",
        "Arn": "arn:aws:iam::136201378220:user/test-user-1",
        "CreateDate": "2022-05-12T11:55:25Z"

Arn = Amazon Resource Name, a unique name assign to every resource in AWS

To see help for each command or subcommand:

$ aws iam help
$ aws iam create-user help

Example: list users

$ aws iam list-users
    "Users": [
             "Path": "/",
             "UserName": "test-user-1",
             "UserId": "AIDBBQ3OFFXCBT3AQWDK7",
             "Arn": "arn:aws:iam::136201378220:user/test-user-1",
             "CreateDate": "2022-05-12T11:55:25Z"

If using LocalStack:
$ aws --endpoint http://aws:4566 iam list-users

Example: deleting a user:

$ aws iam delete-user --user-name test-user-1


Example: attaching a policy to a user:

$ aws --endpoint http://aws:4566 iam attach-user-policy --user-name amelia --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Example: creating a group:

$ aws --endpoint http://aws:4566 iam create-group --group-name project-calabria-developers               {
    "Group": {
        "Path": "/",
        "GroupName": "project-calabria-developers",
        "GroupId": "c2tuoijto26m2cvuensk",
        "Arn": "arn:aws:iam::000000000000:group/project-calabria-developers",
        "CreateDate": "2022-05-12T13:53:47.627000+00:00"

Example: adding a user to a group:

$ aws --endpoint http://aws:4566 iam add-user-to-group --group-name project-calabria-developers --user-name meridith

Example: check policies attached to the group: 

$ aws --endpoint http://aws:4566 iam list-attached-group-policies --group-name project-calabria-developers 

Example: check policies attached to user:

$ aws --endpoint http://aws:4566 iam list-attached-user-policies --user-name meridith

Example: attach a policy to a group

$ aws --endpoint http://aws:4566 iam attach-group-policy --group-name project-calabria-developers --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess 

How to check which AWS account is used by aws cli?

$ aws sts get-caller-identity
    "Account": "046202377221",
    "Arn": "arn:aws:iam::046202377221:user/bojan.komazec"


No comments: