IAM: Users & Groups
- IAM = Identity and Access Management, Global service
- Root account created by default, shouldn't be used or shared
- Users are people within your organization, and can be grouped
IAM: Permisions
- Users are Groups can be assigned JSON documents called policies
- Theses policies define the permisions of the users
- in AWS you apply the least privilege principle: don`t give more permissions than a user needs
IAM Policies inheritance
IAM Policies Structure
-
Consists of
- Version: policy language version, always include "2012-10-17"
- ID: an identifier for the policy(optional)
- Statement: one or more individual statements(required)
-
Statements consists of
- SID: an identifier for the statement(optional)
- Effect: whether the statement allows or denies access(Allsow, Deny)
- Principal: accountuser/role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource: list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect(optinal)
IAM - Password Policy
- Strong passwords = higher security for your account
- in AWS, you can setup a password policy:
- Set a minimum password length
- Require specific character types:
- including uppercase letters
- lowercase letters
- numbers
- non-alphanumeric characters
- Allow all IAM users to chagne their own passwords(password expiration)
- Prevent password re-use
Multi Factor Authentication - MFA
- Users have access to your account and can possibly change configurations or delete resources in your AWS account
- You want to protect your Root Accounts and IAM users
- MFA = password you know + security device you own
- Main benefit of MFA:
if a password is stolen or hacked, the account is not compromised
MFA devices options in AWS
-
Virtual MFA device
- Google Authenticator(phone only)
- Authy(multi-device)
Support for multiple tokens on a single device
-
Universial 2nd Factor(U2F) Security Key
- YubiKey by Yubico(3rd party)
Support for multiple root and IAM users using a single security key
- YubiKey by Yubico(3rd party)
-
Hardware key Fob MFA Device
-
Hardware Key Fob MFA Device for AWS GovCloud(US)