【Table of contents】
-
1. Introduction
This article explains about IAM in detail. IAM is a fundamental service for AWS security, so it is important to understand it correctly in order to use AWS securely.
-
2. What is IAM?
IAM (Identity and Access Management) is a service that allows you to set up "authentication" and "authorization" for AWS services. By setting "Authentication" and "Authorization" correctly, you can control who can use AWS and what AWS services can access.
-
3. Basics of IAM
Before understanding the IAM, let's take a look at the difference between the meanings of "authentication" and "authorization" as used by the IAM. Authentication and authorization are two similar but very different words. In simple terms, the difference is as follows.
・Authentication → Confirmation of who (what) the other party is
・Authorization → Granting access to the resourceFor ease of understanding, let's consider the case of taking the AWS certification exam.
When taking the AWS certification exam, be sure to follow these two steps.① Pay the examination fee and apply for the examination.
② Verify your identity with your passport or driver's license at the test site.As you can see, at the stage 1), those who have paid money to apply will be entitled to take the AWS qualification exam. The act of applying for and obtaining the qualification to take the examination is called "authorization". We then go to the test site to verify the applicant's identity, and this is called "authentication". As you can see, authentication and authorization are two completely different acts, but they are often performed as a set. IAM also has authentication and authorization functions.
IAM provides the following features.
・IAM users (groups)
・IAM Policy
・IAM RollLet's take a closer look at each one in the next item.
-
a) What are IAM users (groups)?
An IAM user is an account that uses AWS. It is mainly used by people to login to the console screen to operate AWS. You can create it by determining a login ID. Once the IAM user is created, you can login to the AWS console screen.
IAM groups can be created and multiple IAM users can be managed together. It is recommended to use it when you want to divide the privileges of IAM users to each department or team in your company.
-
b) What is an IAM policy?
IAM policy is a function to set permissions to operate AWS resources that can be attached to IAM users and IAM roles described later. There are three types of IAM policy.
- ・AWS Management Policy
This is an IAM policy provided by AWS. You can set a general control policy for each service.
- ・Customer Management Policy
This is a policy set by the user using JSON files, etc. It allows more detailed control than AWS management policies, such as IP address control.
- ・In-line policy
An inline policy is a policy that is created for a specific IAM user or IAM role. AWS management policies and customer management policies can be attached to many IAM users and so on by creating one policy, but inline policies can only be attached to a single IAM user or so on a one-to-one basis.
- ・AWS Management Policy
-
c) What is an IAM roll?
IAM roles are a mechanism for granting AWS operating permissions to AWS services such as EC2 and other accounts, rather than to users or groups. For example, if you want to install an application that operates on RDS to EC2, attach an IAM role with access permissions to RDS to EC2. Also, if you want to allow other accounts to connect to S3, you can create an IAM role for the other account in your account so that you can "switch" from the other account to operate your own S3.
You can also create an IAM role, called an ID federation that grants access to identity providers such as Google and Facebook. For example, when a web application is created, this ID federation mechanism allows the user of the application to use the web application without having to create an account.
-
-
4. Best practices of IAM
IAM is a service that controls access to AWS services, so you can use AWS securely by following the best practices.
-
a) Minimize authority
Minimize the permissions you set on IAM users and IAM roles as much as possible. For example, if you only need to read, you can keep the permissions to ReadOnly. If you give more authority than necessary, unexpected damage may occur when it is leaked.
-
b) Use multi-factor authentication as much as possible
Multi-factor authentication is very effective in defending against password list attacks, which can be implemented by third-party apps such as Google's app and Authy, so please try to use it by all means.
-
c) Monitoring with CloudTrail
It is important to monitor and save the logs of operations performed by IAM users using CloudTrail. In the event that your password is compromised, you can prepare for a lawsuit by keeping a record of what kind of operation was done. In addition, if CloudTrail is disabled, it is possible to use SNS (Simple Notification Service), an AWS notification service, to notify you.
-
d) Do not use access keys as much as possible
You can create an access key for each IAM user, but it is best not to use it. Accidents of accidentally uploading access keys to Git, etc. have been occurring all over the world. Also, there are crawlers running around the world looking for access keys that have been accidentally uploaded in that way. Use the IAM role as much as possible.
-
-
5. Conclusion
IAM is an important service that performs "authentication" and "authorization" to operate AWS services, and it is a service that you must use in order to use AWS. Using the right combination of IAM users and IAM roles, you can use AWS securely. Also, try to follow best practices as much as possible in your setup. By understanding and implementing best practices, you can prevent unintentional accidents.