Identity & Access Management

Introduction to IAM

Identity and Access Management (IAM) is used to manage who has access to your AWS account and the resources within your account.

Users and Credentials

Console password - A password that the user can type to sign in to interactive sessions such as the AWS Management Console. Disabling the password (console access) for a user prevents them from signing in the to the AWS Management Console using their user name and password. It does not change their permissions or prevent them from accessing the console using an assumed role.

Access keys - A combination of an access key ID and a secret access key. You can assign two to a user at a time. These can be used to make programmatic calls to AWS. If the user has active access keys, they continue to function and allow access through the AWS CLI, Tools for Windows PowerShell, AWS API, or the AWS Console Mobile Application.

SSH keys for use with CodeCommit - An SSH public key in the OpenSSH format that can be used to authenticate with CodeCommit.

Server certificates - SSL/TLS certificates that you can use to authenticate with some AWS services. We recommend that you use AWS Certificate Manager (ACM) to provision, manage, and deploy your server certificates. Use IAM only when you must support HTTPS connections in a region that is not supported by ACM. To learn which regions support ACM, see AWS Certificate Manager endpoints and quotas in the AWS General Reference.

Security & Best Practices

Security Best Practices in IAM

  • Lock away your AWS account root user access keys

  • Create individual IAM users

  • Use user groups to assign permissions to IAM users

  • Grant least privilege

  • Use customer managed policies instead of inline policies

  • Use access levels to review IAM permissions

  • Configure a strong password policy for your users

  • Enable MFA

  • Use roles for applications that run on Amazon EC2 instances

  • Use roles to delegate permissions

  • Do not share access keys

  • Rotate credentials regularly

  • Remove unnecessary credentials

  • Use policy conditions for extra security

  • Monitor activity in your AWS account

Root User Security

From the AWS documentation: "AWS strongly recommends that you do not use the root user for your everyday tasks, even the administrative ones. Instead, adhere to the best practice of using the root user only to create your first IAM user. Then securely lock away the root user credentials and use them to perform only a few account and service management tasks. To view the tasks that require you to sign in as the root user, see AWS Tasks That Require Root User."

How to Secure the Root Account

  • Enable multi-factor authentication on the root account

  • Create an admin group for your administrators, and assign the appropriate permissions to this group

  • Create user accounts for your administrators

  • Add your users to the admin group

Create Access Keys in the AWS Console

  1. Navigate to IAM and click on your user.

  2. Go to the Security Credentials tab

  3. Click Create Access Key

  4. Download .csv file and store it someplace safe

Get Temporary STS Credentials

Type the following command in your terminal.

Replace user-name with your IAM user name.

serial-number is the arn located in the IAM Security Credentials tab in the AWS Console

token-code is the token from your MFA device.


aws sts get-session-token --serial-number arn:aws:iam::123456789123:mfa/user-name --token-code 123456


This will return json containing the temporary credentials that should look like this


"Credentials": {

"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",

"SessionToken": "AQoDYXdzEJr...<remainder of security token>",

"Expiration": "2018-10-11T10:09:50Z",

"AccessKeyId": "ASIAIOSFODNN7EXAMPLE",

}

}


Open the ~/.aws/credentials file and add the following for the `[temp]` profile.


[temp]

output = json

region = us-east-1

aws_access_key_id = AKIAIOSFODNN7EXAMPLE

aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY

aws_session_token = AQoDYXdzEJr...<remainder of security token>


Now set your `AWS_PROFLE` environment variable to `temp`


export AWS_PROFILE=temp


Test your access by listing buckets in S3.


aws s3api list-buckets


AWS Documentation Links