Introduction to AWS IAM

Table of contents

Reading Time: 3 minutes

AWS IAM roles is a web service which gives you secured “Control Access” to AWS services for your users. IAM policies specify which services/actions are allowed or denied. You attach policies to group, users, roles which are then subject to permission that you define. In other words, IAM policies define what your user can do to your AWS services.

IAM is Identity and Access management which means which user has access to which services.

Policies can be granted either from AWS API programmaticaly or AWS management console. IAM gives you following features:

– Shared access to your AWS account.
– Granular permission.
– Secure access to your AWS resources.
– Identity Information.
– Integrated with many AWS resources.
– Free to use.

Ways to access IAM :

– AWS management console.
– AWS CLI.
– AWS SDKs.
– IAM HTTPS API.

When to create IAM user :

– You crate an AWS account and you are the only person who works in your account.
– Create IAM user for individual who need access to your AWS resource, assign appropriate permission to each user and give him/her own credentials.
– When you want to use AWS CLI to work with AWS. CLI needs credentials to make calls to AWS. Create IAM user and give that user permission to run the CLI.

Usecase :

Allow each IAM user to access to each object in bucket

In the above diagram each user has access to his/her object in the bucket.
Instead of attaching policies to each user, policies can be attached at group level. After then we can add user to that group. The following policy allows a set of Amazon S3 permisson in bucketName/${aws:username} folder. When the policy is evaluated, the policy is replaced by requested username.

For example:
If Vikas sends a request to put an object, the operation is allowed only if Vikas is uploading to bucketName/Vikas folder.

{
 "Version": "2012-10-17",
 "Statement": [{
 "Effect": "Allow",
 "Action": [
 "s3:PutObject",
 "s3:GetObject",
 "s3:GetObjectVersion"
 ],
 "Resource": "arn:aws:s3:::examplebucket/${aws:username}/*"
 }]
}

Note: When using policy you must specify the version in the policy.

Version :

Version element specify the current version of the policy language.
Must be specify before statement element.Current version : 2012-10-17.

Statement :

The Statement element is the main element of the policy. This element is required. The Statement element contains an array of individual statements. Each individual statement is a JSON block enclosed in braces { }.

Effect :

The Effect element is required and specifies whether the statement will result in an allow or an explicit deny. Valid values for Effect are Allow and Deny.

Action :

The Action element describes the specific action or actions that will be allowed or denied.Each AWS service has its own set of actions that describe tasks that you can perform with that service.

Resource :

The Resource element specifies the object or objects that the statement covers. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN.

That’s all for now.

If you have any questions or suggestions, submit a comment below. Stay tuned for the next blog on cloud 😉

Reference:

http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html