Introduction to AWS IAM
A Brief introduction to the importance of IAM and the IAM Module
easy
To access material, start machines and answer questions login.
Understanding - ’s Identity and Access Management service - is critical to attacking or defending an account. is a highly complex service with multiple parts. In this module, you’ll learn about:
| Principals | the people, applications, and services that can act on your account |
| Policies | the definition of what a principal can do in your account |
| Credentials | the numerous ways a principal can authenticate to the control plane |
| Least Privilege | How to create a policy with minimally scoped permissions and how makes that difficult for a developer |
Why is so important? With traditional network-centric security, you’re dealing with two dimensions. You are either inside the or outside the . With public clouds, like , the network is Software Defined. I issue calls to to control the network. All of these calls introduce a third dimension. Suddenly you’re no longer defending castles from opposing armies; you’re defending castles from dragons.
is how manages access to the APIs that control your network - and all the other resources that exist in your account. With the right permissions, I can change your firewalls, update routing tables of your network, and exfiltrate data from your NoSQL databases or object storage. even has several system management tools that efficiently allow you to pop shells on a machine.
As a defender, you need to understand how to defend your cloud accounts and resources against attacks that leverage . As an attacker, you can leverage in a number of ways to compromise a target, move laterally, and exfiltrate data.
One of the core principles of identity and access control in is the concept of an Account (opens in new tab). Amazon treats each account as an independent customer of , and each account is its own independent trust boundary. Inside an Account, there can be multiple Users, Groups, and Roles.
Terminology can be confusing, and people often refer to granting access as "giving someone an Account". For clarity, we shall always refer to the Account as an Account and an User inside that account as an User.
Every Account has a root user, and considers that root user the customer. Major customer-service interactions need to occur from that root user, including billing changes and closing the account. The root user (opens in new tab) is all-powerful and has complete control over all resources in the account (except for Organizational Service Control Policies which we will discuss in a future room).
Since the root user is all-powerful, and since there is only one, best-practice is to create individual Users (opens in new tab) for each person who needs access to the account and only grant the level of access required for their job function. When creating an account for the first time, the common practice is for the root user to create an Admin User and never use root again.
At this point, day-to-day access should occur via either Users (opens in new tab) or Roles (opens in new tab). Users combine authentication, identity, and authorization into a single unit. Roles typically delegate the authentication and identity to another system and primarily manage authorization. We will discuss Users and Roles in the next Room.
Both Users and Roles require Policies to be able to do anything. By default, all requests are implicitly denied. We will discuss policies and how they work in a future room. For introductory purposes, the User or Role is the "who" can do something, and the Policy defines the "what" they can do.
Policies define the actions (opens in new tab) that the user or role can perform on a resource (opens in new tab). Almost everything you create in is a Resource, and almost all Resources can be identified by their Amazon Resource Name or ARN. defines an ARN as:
Amazon Resource Names (ARNs) uniquely identify resources. We require an ARN when you need to specify a resource unambiguously across all of , such as in policies, Amazon Relational Database Service (Amazon RDS) tags, and calls (source (opens in new tab))
An ARN consists of the Region, Account ID, Service, and some identifiers for the Resource, commonly the Resource's name. ARNs are unique across all of . For example, this is the ARN for an Instance and an Role:
arn:::us-east-1:123456789012:instance/i-00c07e4f8c9affca3:
arn::::123456789012:role/admin-role
Trivia - ARNs almost always begin with "arn::". The second field is called the partition. Most customers are in the partition, but there are several other partitions, including GovCloud (-us-gov), China Region (-cn), and a handful of other Top Secret partitions built for the US Government. For instance, Chinese Law requires China to operate in partnership with Chinese companies and not solely by Amazon.
requires the use of an Access Key and Secret Key (and an optional Session Token) to authenticate calls to the APIs. These keys sign the request and identify which user or role and which account the request comes from. We will discuss credentials in more detail in a later room.
Multiple Accounts can be members of an Organization. This is typically done for management and consolidated billing purposes. Typically there is no implicit trust across accounts in an organization; however, has introduced some new features that blur the boundary and allow the organization management account to modify and manage the member accounts.
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in