Technical Blogs
Day 5 of 100 Days of AWS: Mastering IAM & AWS Organizations Deep Dive

Day 5 of 100 Days of AWS: Mastering IAM & AWS Organizations Deep Dive

Dinesh T's photo
Dinesh T
¡

8 min read

Hi folks! Welcome to Day 5 of 100 Days of AWS🎯, where we will cover the complete AWS cloud from beginner to professional. Today, we will expand our horizons in the AWS cloud by Mastering IAM and IAM Identities such as (Users, Groups, & Roles). how to create a custom IAM policy aligning with AWS Best Practices. how to manage all of the IAM identities of all accounts in a central place using AWS IAM Identity Center. and lastly Deep Dive into AWS Organizations. Let’s get started🚀!

Day 4 Overview;

On Day 4 we discussed extensively the purpose & Importance of a broad category of AWS Security, Identity, and Compliance. which are key enablers for ensuring that your cloud environment is highly secure, resilient and robust to attacks, and protecting sensitive data that meets regulatory compliance and maintains Business Continuity. followed by Best practices to follow. and several services offered by AWS which you can leverage and keep your cloud environment secure.

Creating AWS Account;

Consider a Scenario where your working as System Administrator in a startup company. after R&D now you came into the conclusion that you can improve your company’s performance and faster time to market by migrating your existing application into the cloud so you are decided to create an AWS account.

To create an account in AWS at an elementary level you need three information they are account name, email ID, and credit card details with all that information you can successfully create a cloud account. note email ID should be unique for each AWS account but credit card details can be the same. once the account is created by default AWS will have Root user which is like a super user in Linux who has all permission in the corresponding account.

now you want to migrate your existing application to the cloud for that purpose you want cloud architects, System Administrator, and DevOps engineer to access your AWS account. but its not a good idea to provide all of them the Root User credential there is a lot of chance of Information Leakage or account mishandled, and unable to track who did what. generally what hackers would do is when they have our credential is destroy the Production environment and make us incur a lot of cloud operating charges by invoking a lot of services.

keeping all that in mind wouldn’t be great if we have a service in AWS where several Users are created who will be accessing the resources that are required for them. so that we can keep track of user activity and prevent cloud account from unwanted problems. yes, AWS offers a service which is Identity Access Management where we will be creating several Users and providing them with required credentials for authenticating themselves, and providing them authorization to the services for what they needed so that they can keep track of User level activity.

Why IAM;

AWS Identity and Access Management is a web service for securely controlling access to AWS services. With IAM you can centrally manage Users, Security Credentials such as Access Keys and permissions that control which AWS resources Users and applications can access.

IAM not only handles who is Authenticated but also what are they authorized to do.

IAM Identities ;

depending on the different scenarios IAM has 3 different identities they are Users, Groups, and Roles.

IAM Users;

  • Users are individual accounts representing a Person or application that interacts directly with cloud service.

  • In our Scenario of Migrating to the cloud, we will be creating the IAM User for DevOps engineers, Cloud Architects, and System Administrators in the IAM

  • by creating the user alone they are not allowed to perform any actions in the AWS account they are only authenticated. but they have to authorized for performing actions in the cloud environment.

IAM Policies;

  • for performing actions we need policies attached to the user with that only they are authorized to perform actions only described in the policy. policies are JSON Document which tell what resources are allowed to perform what kind of activities.

  • for more detail about IAM policies, I will refer you to view this documentation by clicking here.

  • Policies are of two types they are,

    1. AWS Managed, these are the default policies created by AWS for common use cases.

    2. Customer Managed, these policies are created by the customer (cloud user) if they want to give any custom policy.

  • generally, Policies are of list of statements. where each statement have SID statement ID, Action is a list of actions in the Cloud environment, Resource is a list of resource to which the actions apply, Effect use allow or deny to indicate whether the policy allows or denies the access.

  • With policies we can also provide granular access to the resource

Policy Example;

with this custom policy attached to the IAM user then only the user can perform the actions as described in the policy.

Best Practice;

  • Principle of Least Privilege,

    It is always recommended to grant the minimum no of permission needed to perform a task.

  • Multi-Factor Authentication,

    It is highly recommended to add MFA to all of the AWS accounts. so that even the password is exposed the account can be still protected Using MFA Authentication.

IAM Groups;

IAM Groups are there for categorizing the set of Users depending upon their permission needs in AWS. and creating a policy and attach to it so that all of the User in the group can be authorized to do tasks mentioned in the Policy of group.

Note that Users can only be authorized until they are in the group to which the policies are attached. Once they are removed from the group, all of the permissions attached to the group policy are also redeemed.

as a positive note, with group we can manage the access to the group in central place so that one change will be affect to the all attached users.

IAM Roles;

Roles are the special permission or temporary permission which are granted to the user or Applications. once the service use is done then the user can signout or switch to other roles or else you will be act as normal user with default permission.

to understand role in a much more easier way. see this analogy where you’re a family of 6 where the father is responsible for everything. and in some day if parents went away then for that certain amount of time the elder one will be in charge means the elders policy are upgraded and once they arrive the elder one will be back to his normal roles .

IAM Identity Center;

IAM Identity center is an AWS Service where we can centrally manage all of IAM accounts for the organization itself.

IAM Organizations;

Let’s say you have created multiple AWS accounts for each environment and team. then it becomes cumbersome because you wanna pay the bills separately for each AWS account even they all are created using same credit card, and have to manage Users and entities individually, and much more. which is cumbersome. so, amazon come up with a service called organizations.

AWS Organization is a service where all the AWS accounts are grouped into a single Organization. so that they are centrally managed.

Service Control Policy SCP,

Service Control Policy are policies at the account level which restricts the AWS account to authorize only certain services that are needed.

Organizational Units,

some accounts can also be grouped into Organizational Units and Service Control Policy can also be applied at the Organizational Unit level so that the Organization Units child account will by default inherit the Organizational Unit’s Service Control Policies.

Organizational units allow you to group accounts with similar business or security requirements

Day 5 wrap up;

On Day 5 of 100 days of AWS, we covered the extensive use of the AWS IAM Service along with its Identities Such as (Users, Groups, and Roles) and how to secure these identities using IAM policies and types. and lastly about AWS Organizations, Organizational Unit, and Service Control Policy.

Summary & Key points;

  • by Default when you create an account in AWS root User is created automatically, who has unlimited access and no restriction.

  • IAM is responsible for managing access to the AWS resources.

  • An IAM User represents the person or application that needs access to the AWS or subset of the AWS services.

  • Policies are document that either grant/ deny access to the AWS services/resources.

  • Groups are collection of IAM users. Roles allow a users to get a temporary access to the service or resources.

  • Organizations help manage multiple accounts. Organizational units allow you to group accounts with similar business or security requirements.

  • Service Control Policies (SCP’s) restrict what account can do. SCP can be applied to both the Individual Account & Organization Unit.

Up next on Day 5

  • How AWS Global Infrastructure is Spread across the world. so that providing Global solutions/services is no longer a hindrance.

  • How to select Regions for deploying our Applications and Services.

  • What are Availability Zone and why are they independent within a region?

  • How Edge Locations helps reduce User’s request Latency time.

  • Edge Locations vs Local Zones.

Cloud ComputingAWSAWS Certified Solutions Architect AssociateCloud2Articles1WeekSerialBlogger
Â