IAM Deep Dive: AWS Security SCS-C02 Exam Prep 1

Yashvi Kothari - Sep 29 - - Dev Community

**

1. What is Identity and Access Management?

**
A service/system that protects your valuable AWS resources.

Definition IAM

  • who can access your AWS account
  • what they can do.

IAM itself

Identity Management:

  • who can access your AWS account.
  • IAM uses unique usernames to identify individuals within your account, preventing duplicate user accounts.

Authentication:

  • identified user is who they claim to be.
  • involves providing a username and password. OR also use Multi-Factor Authentication (MFA) for extra security.

Access Management

  • what resources an authenticated user can access.
  • grant granular permissions, such as "Full Access" to EC2 or "Read Only" to RDS.

Access Control

method used to grant access:

  1. username/password
  2. Traditional method
  3. Basic security
  4. While effective for simple setups, it's vulnerable to password breaches.

  5. MFA

  • MFA significantly reduces the risk of unauthorized access, even if credentials are compromised.

Time-based One-Time Password (TOTP): Generates a unique code that expires after a short time.
Push notifications: Sends a notification to a registered device, requiring user confirmation.
Hardware tokens: Physical devices that generate unique codes.

  1. federated access
  • simplifies user management and provides seamless login experience.
  • use security measures of the external identity provider.
  • External identity provider: Allows users outside your AWS account to access resources using credentials from a trusted external identity provider.

Single sign-on (SSO): Enables users to log in to multiple applications with a single set of credentials.
Social login: Allows users to sign in using their existing accounts from social media platforms (e.g., Google, Facebook).
Enterprise identity providers: Integrates with your organization's existing identity management systems (e.g., Active Directory)

Why IAM ?

  • Minimize risks: Restrict access to resources, preventing unauthorized individuals from causing damage.
  • Enhance compliance: Meet industry standards and regulations by adhering to secure access protocols.
  • Improve manageability: Simplify user access and resource management within your AWS account.

2.AWS IAM Features

Access Management:

  • Users:
    individual identities (people or applications) needing access to AWS resources.
    Each user has a unique ARN (Amazon Resource Name).
    User have Multi-Factor Authentication (MFA) for enhanced security.

  • IAM User Groups:

add IAM users.
Attached Policies to grant or deny access to resources.

Image description

  • Roles:

Temporary credentials used by users, other AWS services, or applications to access resources.
Roles don't have passwords but can be assumed by authorized identities.

  • Policies (JSON documents): Define what resources can be accessed (or denied) and by whom. Policies can be attached to users, groups, or roles.

Image description

  • Account Settings: Enforce password policies with minimum security requirements.

  • Security Token Service (STS):

Provides temporary, limited-privilege credentials for IAM and federated users.
Regional endpoints are available for lower latency.

Access Reports:

Access Analyzer:
Identifies policies granting access to resources from outside your trusted zone (e.g., cross-account access).
Helps identify potential security risks.

Credential Report:

Generates a CSV file listing all IAM users with details like last used date, password change history, and MFA status.

Organization Activity (for AWS Organizations users):

Shows service activity for the past year within an account or organizational unit (OU).
Identifies active users and services accessed.

Service Control Policies (SCPs):
Set boundaries for permissions across AWS accounts within Organizations. SCPs can override identity-based policies for stricter control.

Eg:
If a user has full access to S3, RDS, and EC2 through an IAM policy, but the Service Control Policy (SCP) denies access to S3, the user will only be able to access RDS and EC2. The SCP takes precedence and limits the maximum permissions allowed.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .