IAM provides the interface to join the great world of AWS. Its major goal is to provide both human and computer, who are the consumers of AWS services a way to access them.
IAM service have five(5) components:-
- User - The user of AWS resource, can be a person or a machine
- Groups - The above user can be grouped together
- Policy - It defines the permission of the IAM identity.
- Roles - A roles are just a policy, but not associated with the Users directly.
- API Keys - The keys used to programmatically accessing the AWS console.
AWS works on two very important principles.
- Principle of least privilege.
- Any user, group must be granted minimum permission to complete the activity.
- Non explicit deny rule.
- We are new user have no explicit allow rule for a resource, AWS assumes it to be access denied.
- Only an explicit allow can override a non explicit deny rule.
Admin Vs root User¶
This is the very first user which is created when we sign-up for AWS using our emailID. This user has god like access and is not under the control of IAM.
This login must never be used for daily activities within AWS.
These 5 steps should be done as soon as we login to AWS root account.
- Delete the root access keys.
- Enable MFA
- Create user
- Create groups and assign user to groups
- Apply an IAM password policy
We can create a copy of the root user with complete admin access. This is the Admin user. This is user comes under the purview of IAM and should be used as a daily driver in AWS.
When we login to the AWS console for the first time we create the root user, this is the god like user which has all the access and have no control via the IAM policies. This user is not supposed to be used for day to day activity, in place we should be using another user called admin which has all the policies similar to root user but is controlled via IAM.
There are a few important steps to perform as soon as we login to the AWS console for the first time, which is to delete the programmatic access key for the root user followed by creation of users and groups. The policy to be attached to groups and user can be part of groups. There also should be a password policy specified for the users.
AWS works on 2 important principle,
- Principle of least privilege
- Non explicit deny rule
This means that, all the user should be provided the bare minimum of the access required to get the job done, and if not specified, by default the user does not have access to any resources on AWS.