Identity and Access Management (IAM)

AWS Management Console

The AWS Management Console is the graphical user interface (GUI) that is used to manage an AWS account. Below is a summary of tasks that can be completed using the AWS Management Console.

  • Administer your AWS account
  • Search and navigate services
  • Personalize your console with service shortcuts
  • Tag resources for easy identification and editing
  • Create resource groups for collections of related resources
  • Access helpful resources for learning about AWS services and features

AWS Free Tier

  • Some services are always Free: Available to all AWS customers at no cost
  • Some services are free for 12 Months - Free for 12 months following your initial AWS sign-up date
  • Some services are Trial - Short-term free trials

Creating an AWS Account

Required are email address and password. Next page will require to provide more information including type of account (professional or personal), full name, phone number, country and address.

Next page requires to input a valid credit card. Next page requires to verify the phone number via text message (sms). Next page requires to choose a support plan including basic, developer or business plan. And that is it. We can now log into AWS Management console.

Billing preferences, budgets and alarms

Billing Preferences

In AWS management console, we go to account settings-->my billing dashboard-->billing preferences

We are now in Billing Management Console. We check receive PDF invoice by email, receive free tier usage alerts and receive billing alerts. Click save preferences.

Budgets

In Billing Management Console, click Budgets on left side bar menu.

Next page, we will select types of budgets from Cost, Usage, Reservation and Savings plan budget options. Here we will select Cost Budget.

Next page, we will input budget details; Name of budget type, Period (monthly, quarterly and annually), Budget effective dates (recurring budget, expiring budget), start month, Budget amount (Fixed, monthly budget amount), Budgeted amount and Budget optional parameters (choose from unblended, amortized or blended costs and check all types of alrets). Click Configure alerts.

Next page, create alert 1, select from actual costs, forecasted costs, Alert threshold (percentage of budgeted amount, dollar amount), email address for sending alerts to, check or uncheck notify via Amazon simple notification service (SNS) topic and AWS chatbot notifications. Click Confirm Budget.

Next page is confirm budget. Review all options and click Create. That's it. Our first budget alert is now created.

Billing Alarms

Click Services and search for Cloudwatch. Click Cloudwatch. Click Billing. You might get a region warning. We will change the region to us-east-1. Click on upper right hand corner on current region, from dropdown, select us-east-1. Click Billing on left menu. Click Create Alarm.

Next page is Specify metric and conditions. Scroll down to Conditions. We can select threshold type as Static or Anamoly detection. Select Whenever estimated charges is Greater, Greater or equal, Lower or equal, lower than the threshold value. Click Next.

Next page is Configure actions. In Notification, select from whenever this alarm state is in alarm, OK, Insufficient Data. Select from an existing SNS topic, create a new topic, use topic ARN. Input email address. We have to create a new topic. So we select new topic and input email and click create topic. Once topic is created, Click next.

Next page is Add Name and Description. Define a unique alarm name. Click Next.

Next page is Preview and Create. Review all steps and scroll down to click Create alarm. We will get an email on the email address we have given. Open that received email and click Confirm subscription. That's it. Billing alarm is created.

Identity and Access Management

Its the service which is used to manage AWS user accounts and groups access to various services. The common use of IAM is to manage:

  • Users
  • Groups
  • Access policies
  • Roles
  • User Credentials
  • User password policies
  • Multi-factor authentication (MFA)
  • API keys for programmatic (CLI) access

Also

  • The User created when we create an AWS account is called the root user.
  • By default, the root user has full administrative rights and access to every part of the account.
  • Any new or additional users created in the AWS account are created with no access to any AWS resources. Then only granted access is the ability to log in.
  • For a user to access an AWS service, permission must be granted to that user, which is managed in/by IAM

IAM Best Practices

Guidelines that recommend settings, configurations, and architecture for maintaining a high level of security, accessibility, and efficiency.

When a new AWS root account is created, it is best practice to complete the tasks listed in IAM under Security Status, including:

  • Delete your root access keys
  • Activate MFA on your root account
  • Create individual IAM users
  • Use groups to assign permissions
  • Apply an IAM password policy

Best Practices for IAM Users

  • Best practice is to never user your root account for day-to-day use.
  • If we want full admin access, create an IAM user and attach the AdministratorAccess policy to it.
  • Use that account as our daily driver.

Best Practices for IAM Groups

  • While IAM group is a collection of IAM users, Groups allow us to set and manage permissions for multiple users at the same time.
  • Groups are a more convenient and efficient way to manage account permissions. For example, if our user James were to switch positions within the company, we could easily remove James from his old group and add him to the new group.

Best practices for IAM Password Policy

  • A password policy dictates the format and expiration rules that a user must follow when creating or modifying their password.
  • These rules include:
    • Length requirements
    • Case requirements
    • Number requirements
    • Non-alphanumeric requirements
    • Password expiration
    • Password reuse
    • User rights to change their own password
    • Administrator reset requirements

Activate MFA on Root Account

  • MFA stands for Multi-Factor Authentication.
  • It is an additional layer of security on your root account that is provided by a third party.
  • It provides a continually changing, random, six-digit code you need to input (along with your password) when logging in to your root account.

How do we get an MFA code?

  1. Virtual MFA device
  • Smartphone or tablet
  • Commonly used app (iOS and Android): Google Authenticator, Microsoft Authenticate and RSA Authenticate

2. Hardware key fob

  • Small physical device with a display that your can attach to your keychain
  • Ordered directly from AWS

3. API keys for programmatic (CLI) access

  • Special credentials required for accessing AWS resources via the command line interface (CLI)

On IAM page, Click Activate MFA on your root account. Click Manage MFA.

Next page is Your Security Credentials. Click Muli-Factor Authentication (MFA). Click Activate MFA. Next pop-up will be Manage MFA device. Choose from Virtual MFA device, U2F security key, Other hardware MFA device. We selected Virtual MFA device and click Continue.

Next pop-up wil be Set up virtual MFA device. First step will be to install a compatible app on our mobile device or computer (click on list of compatible applications to see the list of all apps we can download). Second step will be to scan the QR code OR input secret key. Third step will be to type two consecutive codes. Click Assign MFA. Next pop-up will confirm that MFA is turned for root user account.

Create individual IAM user

  • IAM users are individuals who have been granted access to an AWS account. For example, if your company gives you access to their AWS account, then your are an IAM user (probably one of many the company has set up).
  • Each IAM user has three main components:
    • A username
    • A password
    • Permissions to access various AWS services
  • Without permission being explicitly granted to an IAM user, that user will not be able to access any AWS services.
  • Generally, a company's I.T. department will be responsible for "attaching" what are called IAM permission policies to an IAM user based on what that user needs access to (in order to do their job).

In IAM dashboard, click Create individual IAM Users. Click Manage Users. Next page, click Add User. Next page, set user details. Input User name. Select Access Type. Check Programmatic access and AWS Management Console access. For Console password, select from Autogenerated password or custom password. Check Require password reset. Click Next: Permissions.

Next Page is Set permissions. We will need to create a group. Click Create Group. Search AdministratorAccess in Group name placeholder. Check AdministratorAccess under Policy name. Another good option is PowerUserAccess. Click Create Group. Next page, click Next: Tags. We can optionally add email address of users or their job titles as a tag attached to the user. Click Next: Review. Click Create User.

Next page, we will see the user created along with Access Key ID, Secret Access key and password and option to email login instructions. Download the csv file and close the page.

On IAM dashboard, copy the IAM users sign-in link.

Open a new browser window and paste the IAM users sign-in link. On the AWS log-in page, the Account ID will be automatically filled. Input the IAM user name we have just created and copy the password from the CSV file we download earlier. We are now logged in with the user we have just created.

Note: In the previous browser window, our root user will be signed out automatically.

Apply an IAM password policy

In IAM dashboard, click Apply an IAM password policy. Click Manage Password Policy. Next page, click Set password policy. Next page, Enforce minimum password length is by default checked. We can check other options as per our policy and click save changes.

IAM Users, Groups, Roles and Policies

Best practice is to create Groups and attach policies to those group. Then add users to those Groups. We can also create roles to access one service from another service. For example, a user using EC2 service can access S3 using a role that is permitted to access S3 Service.

There are two types of policies.

1. Managed Policies

are pre-built policies which are built either by AWS or by an administrator inside of our AWS account. These polices can be attached either to an IAM user or an IAM Group.

2. Inline Policies

are policies that can be attached to one user or one group. These are typically used in one-off situations.

An explicit Deny always overrules an allow in any type of policy. Also all actions are by default Deny unless allowed specifically through a managed or inline policy.

Continue to Page 3