AWS – IAM

techhadoop

AWS IAM enables you to implement security best practices, such as least privilege, by granting unique credentials to every user within your AWS account and only granting permission to access the AWS services and resources required for the users  to perform their jobs.

AWS IAM is secure by default; new users have no access to AWS until permission are explicitly granted .

IAM Role

An IAM role use temporary security credentials to allow you to delegate access users or services that normally don’t have access to your AWS resources

  • You can not change IAM role on a running EC2 instance
  • you can only associated a IAM role while launching EC2 instance

Permissions

  • managed policies can only be attached to IAM users, groups, or roles. You can not use them as resource-based policies

Temporary security credentials

  • temporary security credentials are sometimes simple referred to as tokens

Identity Federation

  • AWS supports the Security Assertion Markup Language (SAML) 2.0.
  • Federated users (non – AWS , external identities) are users you manage outside of AWS in your corporate directory, but to whom you grant access to your AWS account using temporary security credentials. They differ from IAM users, which are created and maintained in your AWS account.

– web identity federation

Multi-Factor Authentication (MFA)

Multi Factor Authentication – used as a second factor authentication to help secure Root and IAM user accounts

AWS MFA supports the use of both hardware tokens and virtual MFA devices .

Time -Based One_time Password – TOTP

Notes:

– The credentials report list all users in your account and the status of their various credentials, including passwords, access key, and MFA devices

– by default, when you createating a new user via the IAM console :

  • the user does not get notified of the creation via email
  • the user will be provisioned with Access Key
  • the user does not have access to any resources until they are specifically granted

Determining Whether a Request is Allowed or Denied

When a request is made, the AWS service decides whether a given request should be allowed or denied. The evaluation logic follows these rules:

  • By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.)
  • An explicit allow overrides this default.
  • An explicit deny overrides any allows.

reference

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

Leave a comment