AWS: IAM and CLI

IAM stands for Identity and Acess Management, which is a global service. By default, you are using a root account that can not be shared or used. Let’s go over the basic understanding of IAM.

IAM: Users and Groups

— Users of an organization can be grouped.

— The group contains only the users, which is people. However, a group can not contain another group. But a user can be in multiple groups.

— There can be a lone user who doesn’t need to be in a group. Not necessarily.

IAM Users and Groups

In terms of IAM, there is no need to select a region because it is global scale. Let’s create a user and group for IAM.

Creating User and Groups

In the above example, we gave the user was management console access along with a password and put him inside the admin group which has administrative access. After creating the user, each user will have a credentials CSV file that can be downloaded for reference. That being said, each user can access AWS MANAGEMENT CONSOLE using their specific credentials.

User Specified URL!

IAM: Policies & Permissions

Now, we see that there can be multiple users in a group. Therefore, there is a need for permission to give them access to do some stuff but not more than that. That is where the JSON policies come in.

Now, in terms of policies, a user can be in multiple groups along with different permissions.

User: policies and groups!

In the above example, we created another group which is developers added the user called jisan. That is why the user has both policy permissions from admin and developers groups. Another permission is added directly without using any groups. This example is just a visual explanation of how users can be in multiple groups and have multiple policies' approval.

IAM: Password Policy

Always use multifactor authentication (MFA) to protect your root and IAM users. MFA = Given Password & security device you own. Using this approach, your account can be secured because even if someone knows your password, your security device for example your mobile will hold the power being restrict the unauthorized login.

In general, if you want to change the password policy, then go to “Account Settings” and “Change Password Policy”. Change things as you wish.

General Password Policy

If you want to create MFA, then click on your username at the right upper corner and select “My Security Credentials” and then choose MFA options. Where you will have to follow the guidelines. The list of MFA devices would be: here! I am using Google Authenticator on an android device.

AWS: CLI

An interactive way to access AWS services using command lines by your command-line shell. This allows you to use the public APIs of AWS services and can develop scripts to manage your resources. Everything you need to know about CLI can be found in Github.

To Install AWS CLI on windows. Go to that link. And download the following program.

Download and verify!

Security Credentials:

Don’t use your root account to do that. Always use your user account to create security credentials. Go to the User and select user to find the security credentials. Create the access key (just click the button)!

Access Keys

Look at the description of access keys to find out what can be done by using them? Pretty cool right? DON’T SHARE YOUR ACCESS KEY!

Now open your terminal and follow the steps to access AWS services using CLI:

Using CLI to access AWS services!

There’s an alternative as well, which is the AWS CloudShell. Give it a try. Remember some certain region allows us to use cloud shell. Look up into it, change the region, and use cloud shell just to get familiar with it.

How can users access AWS?
— AWS Management Console (password + MFA)
— AWS command-line interface (protected access keys)
— AWS software developer kit (SDK) — for code: protected by access keys

AWS CLI installation: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

IAM Roles for AWS Services

IAM roles are useful to perform a specific set of tasks with the given permission. Let’s say, we create a virtual server or EC2 instance on AWS. That instance wants to perform some tasks from AWS services. And that’s where the IAM roles come in to allow the instance to do those tasks with permission. I will talk more about EC2 instances in future writing.

IAM ROLES for services: AWS services require IAM roles to perform actions.
Roles:
1. EC2 instance roles
2. Lamba function roles
3. Roles for CloudFormation

To create roles, go to the Roles section. Click on: Create Roles — AWS services — EC2 — Permissions — IAMReadOnlyAccess — Review — Give Role Name — Create!

Voila! Your role is created which has only the IAMReadOnlyAccess.

IAM Security Tools:

• IAM Credentials Reports (Account-Level): List all your account users and the status of their various credentials.
• IAM Access Advisor (User-Level): Service permissions are granted to a user and when those services are last accessed.

If you want to see the credentials Report, then go to the credentials report section.

Credentials Report!

If you want to see the access advisor, then go to the users. Select the users to go into details. There you will see the access advisor.

Access Advisor!!

In this article, we talked about IAM and CLI. Let’s point out some important information once again:

• Don’t use root account except for AWS account setup.
• Assign users to groups and permissions to groups.
• Create a strong password policy.
• Use MFA policy (Multi-Factor Authentication).
• Create and use Roles to give permissions to AWS Services.
• Access AWS by using CLI or SDK.
• IAM credentials reports and IAM access advisor can be used!

IAM Guidelines and Best Practices:
1. Don’t use the root user
2. One physical user = one AWS user
3. Assign users to groups
4. Set a proper password policy
5. MFA for extra security (root and user account)
6. Create and use ROLES
7. CLI/SDK
8. IAM Credentials Reports

That’s a re-cap. Hope you enjoy it. See you soon with the next article! Cheers! 😃