Skip to main content

Identity and Access Management - AWS


Identity and Access Management is abbreviated as IAM, is a global eventually consistent service,         

which securely manages,

Accounts - The first entity that is created to provide access to the AWS resources.

User - An entity that you create in AWS to represent the person or application that uses it to interact with AWS. The user created during the AWS account creation is called root user. Each IAM user is associated with one and only one AWS account, because users are defined within your AWS account. An IAM user with administrator permissions is not the same as the AWS account root user.

One Physical User = One User Account

AWS user credential types are classified into,

  1. AWS Management Console Access - Password
  2. Programmatic Access - Access Key

AWS strongly recommends not to use root account for day to day tasks.

User Groups - group of users, groups can contain only users and cannot contain another group. Users within the group will inherit the group permissions, thus providing a cleaner way of managing permission for users. All users need not belong to a group and same users can be in many groups.

Policies - The permission for users and groups are provided through IAM policies, is a JSON document in the below structure.

{
    "Version": "2012-10-17",
    "id": "Optional-Policy-Identifier",
    "Statement": [
        {
           "Sid": "Optional-Statement-Identifier",
           "Effect": "Allow/Deny",
           "Principal": "*",
           "Action": "*",
           "Resource": "*",
           "Condition":{
                "{{condition}}":{
                    "key":"value"
                 }
           }
        }
    ]
}

Policy file consists of,

  • version - Policy language version
  • id - Policy identifier, Optional field
  • Statement - Policy statements
Statement consists of
  • Sid - Statement Identifier, Optional field
  • Effect - Denotes whether the action is Allowed or Denied.
  • Action - Indicates the actions which are allowed or denied on the AWS resource
  • Resource - Represents the policy is applied for resources created in AWS services for which the action is allowed or denied.
  • Condition - resource condition is optional, used to apply this policy on the resource matching the condition.
  • Principal - specify the principal that is allowed or denied access to a resource, allowed only in resource based policies. Identity-based policies are permissions policies that you attach to IAM identities (users, groups, or roles). In those cases, the principal is implicitly the identity where the policy is attached.

Below is a sample policy,

{
  "Version": "2012-10-17",
  "Statement":[{
  "Effect":"Allow",
  "Action": [
       "ec2:AuthorizeSecurityGroupIngress",
       "ec2:AuthorizeSecurityGroupEgress",
       "ec2:RevokeSecurityGroupIngress",
       "ec2:RevokeSecurityGroupEgress"
  ],
  "Resource": "arn:aws:ec2:region:account:security-group/*",
  "Condition": {
      "StringEquals": {
          "ec2:Vpc": "arn:aws:ec2:region:account:vpc/vpc-11223"
        }
      }
    }
  ]
}

Apply least privilege principle for providing permissions to users.

Creating a policy specific to the user or role is handled through inline policy. Inline policy cannot be reused. The best practice is to create a policy and assign that to an user or group.

AWS Policy Generator can be used to generate the JSON policy document. IAM Policy Simulator is used to test policies that are attached to IAM users, user groups, or roles in your AWS account

Roles - provides permission for the aws services to access the other aws resources. Roles are similar to policies, but they are intended to be used only by the aws services.
Consider an example, where we have deployed our application in a virtual machine (ec2) and it has to write and read data from a database like dynamodb. For the application running in our ec2 instance to do this action, we have to provide a role, that allows ec2 instance to access the dynamodb.

Common Roles include,

  • EC2 Instance Roles
  • Lambda Function Roles
  • Cloud Formation Roles

Multi Factor Authentication (MFA):

AWS recommends setting up MFA for root and other user accounts to improve the account security. 
MFA = traditional password + auto generated passcode from security device.
Types of MFA:
  1. Virtual MFA Device - Authy, Google Authenticator. Supports Multiple token on the same device.
  2. Universal 2nd Factor Authentication - Physical key like Yubikey. Supports multiple root and IAM users with a single key.
  3. Hardware Key Fob MFA device - Gemalto (RSA Token), SurePassId for AWSGov

Other Security Aspects:

  • Password policy - enforcement of length, special characters, numbers, preventing usage of last n passwords, periodic password expiry.
  • Auto generated temporary passwords while creating new users, can be overridden with the custom password. 

Security Tools:

  • Access Advisor - Access Advisor shows the services that this user can access and when those services were last accessed. Any unused permission granted for the user can be reviewed and revoked.


  • Credentials Report - Report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. This is to audit the effects of credential lifecycle requirements, such as password and access key rotation. The report is generated report as often as once in every four hours. 
    Never share your IAM user credentials or access keys.

References

  1. AWS Identity and Access Management Documentation

Labels:

Comments

Post a Comment

Popular posts from this blog

How to get 5GB instantly in seedr?

Seedr is a torrent caching site which provides 2GB of caching for free. For those who are not aware of what the torrent is?  Torrent is a peer to peer communication protocol (P2P) for file sharing. It was introduced in the mid of 2001 for decentralizing the file sharing in this real world. How the files are shared via torrent? Files are uploaded to servers as we do traditionally but the interesting part comes here, these files can be downloaded only via torrent client like Bit torrent, µtorrent, Vuze or you can use any other clients available in the market. Just do a google search to find all the available clients for downloading files.  Why they are restricting the download to clients? Because, the concept here is each computer acts as a server, once you start the download, the client will start uploading the data. Someone on the internet will download the same file based on the data you upload, this process is called seeding, thus decentralizing the data and reducing t
14 comments
Read more

Decision making statements - T24

As a programmer, it is essential for you to make your program to work better in all the cases. So, based on the real-time data, you have to decide how the program should work. So, it is important to take decision. Consider a simple case where you want to print the number provided by the user at runtime is even or odd. How to handle that in programs? Decision making statements comes in to play. So, what is the syntax and how to use that? IF condition THEN                 This block will execute when the if condition is satisfied or validated to true. END This is the syntax of the simple IF block. Ok. If the condition is not satisfied, then what will happen. I need to do something when IF condition is failed. How to handle that? ELSE block should be introduced. Here is the syntax, IF condition THEN                 This block will execute when the if condition is satisfied or validated to true. END ELSE                 This block will execute when the i
1 comment
Read more

Hello World - Getting Started with T24

Are you looking to develop great modules and local services for T24? This is the perfect place to start with. Let’s start from the basics. The core banking platform, T24 is developed with INFOBASIC code. This is the proprietary language of Temenos. T24 has the unique compiler to convert the BASIC code to object files with TAFc (Temenos Application Framework c) platform. An another flavour TAFj (Temenos Application Framework java), converts the BASIC to bytecode making it capable to run on any device with the Java runtime installed. The BASIC code remains same for both TAFc and TAFj Platform. Enough Intro! Let’s say hello to this world, How the syntax of this basic program looks like, PROGRAM program_name all the basic statements reside inside this block END Now, it is right time say hello, PROGRAM HELLO                 CRT “Hello World” END Yah, we did that. But, how to run this. You need T24 deployed in your organisation to compile and run
2 comments
Read more