AWS IAM Management

Overview

AWS Identity and Access Management (IAM) is a service that enables you to securely manage access to AWS services and resources. IAM allows you to create users, groups, and roles and assign permissions using policies.

Best Practices for AWS IAM

1. Principle of Least Privilege

• Grant only the permissions necessary for a user or service to perform its tasks.
• Regularly review and remove unused permissions.

2. Use IAM Roles Instead of IAM Users

• IAM roles are more secure than long-lived access keys because they use temporary credentials.
• Use IAM roles for EC2, Lambda, and other AWS services that require access to AWS resources.

3. Enable Multi-Factor Authentication (MFA)

• Enforce MFA for all IAM users with AWS Management Console access.
• Use hardware MFA devices or virtual MFA apps like Google Authenticator.

4. Use IAM Groups for Users

• Assign permissions to IAM groups instead of individual users to simplify management.
• Example groups: Admin, Developers, ReadOnly.

5. Rotate Credentials Regularly

• Rotate access keys periodically and avoid hardcoding them in applications.
• Use AWS Secrets Manager or AWS Systems Manager Parameter Store for managing credentials.

6. Implement IAM Policy Boundaries and SCPs

• Use IAM Permission Boundaries to limit the maximum permissions an IAM entity can receive.
• Use AWS Organizations Service Control Policies (SCPs) to enforce permissions across multiple accounts.

7. Use Condition Keys in IAM Policies

• Example: Restrict access based on:
  • IP Address: aws:SourceIp
  • MFA Presence: aws:MultiFactorAuthPresent
  • AWS Region: aws:RequestedRegion

8. Use AWS IAM Access Analyzer

• Continuously monitor and identify unused or overly permissive IAM policies.

9. Enable AWS CloudTrail

• Audit IAM actions using AWS CloudTrail for security monitoring.

10. Use AWS Organizations and AWS SSO for Multi-Account Access

• Use AWS Organizations and AWS Single Sign-On (SSO) to centralize identity management.

Deploying and Managing IAM Using Different Methods

1. AWS Console

Creating an IAM User

1. Sign in to the AWS Management Console.
2. Navigate to IAM → Users.
3. Click Add User.
4. Choose an access type (Programmatic, Console, or both).
5. Assign the user to a group or attach permissions directly.
6. Review and create the user.

Creating an IAM Role for EC2

1. Go to IAM → Roles.
2. Click Create Role.
3. Choose AWS Service → EC2.
4. Attach the required policies (e.g., AmazonS3ReadOnlyAccess).
5. Name and create the role.

2. AWS CLI

Create an IAM User

aws iam create-user --user-name DevUser

Attach a Policy to a User

aws iam attach-user-policy --user-name DevUser --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

Create an IAM Role

aws iam create-role --role-name MyEC2Role --assume-role-policy-document file://trust-policy.json

Example trust-policy.json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Attach a Policy to a Role

aws iam attach-role-policy --role-name MyEC2Role --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Create an IAM Group

aws iam create-group --group-name DevOpsGroup

Add a User to a Group

aws iam add-user-to-group --user-name DevUser --group-name DevOpsGroup

3. Terraform

IAM User with Terraform

resource "aws_iam_user" "dev_user" {
  name = "DevUser"
}

resource "aws_iam_user_policy_attachment" "admin_policy" {
  user       = aws_iam_user.dev_user.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

IAM Role for EC2 with Terraform

resource "aws_iam_role" "ec2_role" {
  name = "MyEC2Role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Principal = {
          Service = "ec2.amazonaws.com"
        }
        Action = "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "s3_readonly" {
  role       = aws_iam_role.ec2_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
}

IAM Group with Terraform

resource "aws_iam_group" "devops_group" {
  name = "DevOpsGroup"
}

resource "aws_iam_group_policy_attachment" "group_admin_policy" {
  group      = aws_iam_group.devops_group.name
  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}

resource "aws_iam_user_group_membership" "devops_membership" {
  user = aws_iam_user.dev_user.name
  groups = [aws_iam_group.devops_group.name]
}

IAM Logging and Monitoring

1. Enable CloudTrail for IAM Events

aws cloudtrail create-trail --name IAMTrail --s3-bucket-name my-logs-bucket
aws cloudtrail start-logging --name IAMTrail

2. Use AWS Config for IAM Compliance

aws configservice put-config-rule --config-rule file://iam-policy-compliance.json

Example iam-policy-compliance.json:

{
  "ConfigRuleName": "iam-policy-compliance",
  "Scope": {
    "ComplianceResourceTypes": ["AWS::IAM::Policy"]
  },
  "Source": {
    "Owner": "AWS",
    "SourceIdentifier": "IAM_POLICY_NO_STATEMENTS_WITH_ADMIN_ACCESS"
  }
}

Conclusion

AWS IAM is a critical service for securing AWS environments. Following best practices, using IAM roles instead of long-lived credentials, and implementing security controls like MFA and CloudTrail logging ensures a secure and compliant IAM setup. Whether using the AWS Console, CLI, or Terraform, proper IAM management is essential for maintaining a robust cloud security posture.