IDENTITY AND ACCESS MANAGEMENT
When you first create an Amazon Web Services(AWS)account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.
- The”root account“is simply the account created when first setup your AWS account. It has complete Admin access on your account.
AWS strongly recommend that you do not use the root user for your every day tasks, even the administrative ones. Instead of using the root user we can create IAM user and allocates the appropriate permissions for the IAM user.
IAM stands for Identity and Access Management (IAM). IAM is a web service that helps you securely control access to AWS resources for your users. We can use IAM to control who can use our AWS resources and how they can use resources.
You can provide Shared Access to your AWS account
You can grant different permissions to different people for different resources
IAM allows you to manage users and their level of access to AWS console
IAM is universal.It does not apply to regions
You can enable Multi-factor authentication (MFA) for your AWS account
IAM allows you to setup your own password rotation policy
Integrates with many different AWS services
Steps to Create an IAM user:
Log in with the root Account credentials and find the“IAM”under“Security,Identity& Compliance”
- IAM users have to sign-in using a dedicated Sign-In link. Every AWS account user will get a 12 Digit account number,that 12 digit number will be displayed on the Sign-In link,if you don’t want to expose the account Number you can give an Alias name. For that select the “customize”
- Alias name must be unique over the globe
3. To create a new IAM user, Please select“Users”option under IAM Resources and Select “Add User” option.
- We need to provide a“user name”for the newly creating IAM user. This username must be unique with-in your AWS account.
- We have two types of the access types
This Enables the access to your AWS account by AWS API,CLI, SDK, and other development tools. You will get an access key ID and secret access key if you select this access type
AWS Management Console access
This enables users to sign-in to the AWS Management Console i.e; Web Browser. You will get a username and password to login.
- If you select“AWS Management Console access”you have to get a password by“Auto generated password” or “Custom password” option.
- You can select the“Require password reset option”tick box if you want IAM user to create a new password at next sign-in.
4. By default IAM users will create with NO Permissions. If you want to allocate certain level of permission on any of the AWS resource, you have to attach/apply policy to the user.
- You can directly Attach one or more existing policies directly to the users or create a new policy
- If you have any existing user with policies you can select the user,same permissions
- Or,you can create a group allocate the policy on top of the group,then you can add this IAM user to that group. Creating group will eases the administration.
5. To create a group,select the“Create a Group”option and you will get a pop-up to select the policy. You can filter the policies based on your requirement and select.
Here is some key policies, you have to remember
Provides full access to AWS services and resources Except Billing and Account management. He can create/delete an IAM user or Groups
Power User Access
Provides full access to AWS services and resources,but does He can launch any resource but doesn’t have any permission to create a new user,group or deleting an existing user.
Read only Access
Provides Read Only access on all AWS services and resources.
6. Review the screen and click on“Create User”option. New IAM user will create and you can send the credentials directly to the user by using“Send Email”option
7. You can download the Credentials. csv file and keep it in a secured location
8. By using the mentioned IAM sign-in URL,this newly created IAM user can login to AWS console.
Setup own password policy:
A password policy is a set of rules that define the type of password an IAM user can set.You can set the password complexity to secure your AWS account from easily guess able passwords.You can modify the password policy based on the requirement
9. You need to get all the tick marks in IAM dashboard,then you can consider you are good to go with other services.
Create an IAM Group
Create a group for all IAM administrator users and as sign the proper permissions to the new group. This will allow you to avoid as signing policies directly to a user later in these exercises.
Log in as the root user.
Create an IAM group called Administrators.
Attach the managed policy, IAM Full Access, to the Administrators group.
Create a Customized Sign-In Link and Password Policy
In this exercise,you will setup your account with some basic IAM safeguards. The password policy is are commended security practice, and the sign-in link makes it easier for your users to login to the AWS Management Console.
Customize a sign-in link,and write down the new link name in full.
Create a password policy for your account
Create an IAM User
In this exercise,you will create an IAM user who can perform all administrative IAM functions.Then you will login as that user so that you no longer need to use the root user login. Using the root user login only when explicitly required is a recommended security practice(along with adding MFA to your root user).
While logged in as the root user, create a new IAM user called Administrator.
Add your new user to the Administrators group.
On the Details page for the administrator user, create a password.
Log out as the root user
Use the customized sign-in link to sign in as Administrator.
Set Up MFA
In this exercise,you will add MFA to your IAM administrator. You will use a virtual MFA application for your phone. MFA is a security recommendation on powerful accounts such as IAM administrators.
Download the AWS Virtual MFA app to your phone
Select the administrator user, and manage the MFA device.
Go through the steps to activate a Virtual MFA device
Log off as administrator
Login as administrator, and enter the MFA value to complete the authentication process
More Information :https://www.fgrade.com/aws/