Welcome to the world of AWS, where the cloud is your playground, and Identity and Access Management (IAM) is your key to a secure and organized experience. If you're not exactly a tech guru, fear not! This guide will walk you through the basics of AWS IAM in a way that's easy to understand.
What is AWS IAM?
IAM is like the gatekeeper of your AWS kingdom. It helps you decide who gets access to your cloud resources and what they can do once they're inside. Think of it as your digital bouncer, ensuring only the right people have the right keys.
The Key Players
1. Users:
Who: Real people or systems that interact with your AWS account.
What: Each user gets a special pass (like a password) to enter.
2. Groups:
Who: Batches of users.
What: Instead of managing each person one by one, you put them in groups, making things more organized.
3. Roles:
Who: Like users but meant for services or specific tasks.
What: They come with a set of rules (policies) defining what they can and can't do.
4. Policies:
- What: Policies are like the instruction manual. They dictate who can do what.
IAM Best Practices in Plain English
1. Just Enough, Not Too Much:
Rule: Only give people the power they really need.
Why: It prevents accidents or intentional mischief.
2. Change is Good - Rotate Passwords and Keys:
Rule: Change your passwords and keys regularly.
Why: Adds an extra layer of protection.
3. IAM Roles for EC2 Instances - A Fancy Term for Simplicity:
Rule: For applications on Amazon's servers, let them have special passes (roles) instead of using complicated codes.
Why: It's safer and simpler.
4. Keep an Eye on Things:
Rule: Use AWS CloudTrail to see what's happening.
Why: It's like having security cameras in your digital store.
Navigating the IAM Playground
Go to AWS Console and search for IAM:
Click on the "IAM". We will get below dashboard:
1. Creating Users:
How: Go to the IAM spot, click "Users," and then "Add user."
Why: It's like making individual passes for people to enter your digital party.
In the IAM console, in the left pannel, click on "Users".
After that Click on "Create user".
Now, it is asking to grant access to the user for the AWS Management Console. Check this option.
Now, in the pop-up menu, select 'I want to create an IAM user'.
Now, we have to configure the password for that user. We can either create a manual password or choose an autogenerated password. In this case, we are opting for a custom password. Select 'Custom Password'.
If you want the user to create a new password when they sign in for the first time with our provided password, check the option 'Users must create a new password at the next sign-in'.
Click on 'Next'.
Now, you get the option to set permissions. You'll find the following choices:
Add user to group
Copy permissions
Attach policies directly
For now, we are leaving these options untouched.
Click on "Next".
In the next step, review the configurations you have set for the new user.
Now, click on "Create user".
Congratulations! Your user has been successfully created.
You can download the user and password details by obtaining the .csv file. Additionally, you have the option to share the credentials directly via email by clicking on 'Email sign-in instructions'.
Click on "Return to users list".
Now you have the console details for that user, allowing them to log in to the AWS console. Click on the 'sgaurav' user.
Now, select the 'Security Credentials' tab from the available options.
Now, you can see the 'Console sign-in link.' Copy that link and open it in a new browser.
Now, open that link.
In the 'Account ID or account alias' field, enter your account ID or account name.
For 'IAM user name,' use the username you created recently. In the password section, enter the configured password.
Congratulations! The user is now logged into the console.
If you try clicking on any services like EC2, you will encounter an 'Access denied' error. This is because we haven't granted access to this user for anything beyond the AWS console.
Let's do more in our next steps.
2. Creating Groups:
How: Groups help you manage lots of people. Make a group, attach the instruction manual (policy), and add folks.
Why: Keeps things neat and tidy.
Go to the 'IAM' dashboard and click on 'User Groups'.
Now, click on 'Create group'.
Give the name of the group.
Select 'Add users to the group.'
Choose your user and scroll down.
Do not perform any action on 'Attach permissions policies' as we'll handle this later.
Click on "Create group".
Great news! The new group named 'devops-engineers' has been successfully created.
3. Creating Roles:
How: Roles are like VIP passes for services. Set up a role, decide who can use it, and attach the instruction manual.
Why: Services can get their work done without any fuss.
Go to the IAM dashboard and click on "Roles".
Click on "Create Role".
Next, we need to 'Select trusted entity.' There are multiple options, allowing you to configure the role according to your specific use case. If you're setting up the role for your AWS service, choose 'AWS service.' Alternatively, if you're configuring the role for another user in a different AWS account, select 'AWS account.'
For our scenario, we'll choose 'AWS service.' We are creating a role that allows an EC2 instance to communicate with an S3 bucket. In the 'Use case' section, select 'EC2'.
Click on "Next".
Now, we need to select the permission policies. In our case, we want to grant access to the S3 endpoint service.
Search for 'S3'.
Select 'AmazonS3FullAccess.' Afterward, click on 'Next'."
Provide a name for the role.
Scroll down and click on 'Create role'.
Congratulations! The role has been successfully created.
4. Attaching Instruction Manuals (Policies):
How: Policies are the rulebooks. Use the ready-made ones or make your own.
Why: Ensures everyone follows the same set of rules.
Go to the IAM dashboard, and click on "Policies".
These policies are examples of permissions that can be given to any user.
Go back to the 'User' section and select your user.
Now, in the 'Permissions' tab and under permissions policies, click on 'Add permissions'.
Now, we have to add the permissions. Select 'Attach policies directly.'
Let's search for 'EC2'.
Select 'AmazonEC2FullAccess' and then click on 'Next'.
Review the permissions and then click on 'Add permissions'.
Fantastic! The policy has been successfully added to your user.
Now, your user should be able to perform all the EC2 actions. Let's check this.
Login to your user.
Click on EC2.
Hurray! Your user can now create EC2 instances.
5. Getting In: Access Keys and Passwords:
How: Users enter using keys (for tech stuff) or passwords (for the regular login).
Why: It's like having a key card or a secret password to enter a secure building.
Now if you want to download the Access Keys and Passwords in case if you're login with CLI or any other service.
Go to the AWS IAM Console and select your user.
Click on "Security credentials".
Scroll down and select "Create access key".
In the next option, select 'Access key best practices & alternatives.'
We are choosing 'Command line interface'.
Check the confirmation option and click on 'Next'.
Add a tag if you want to.
Now, click on 'Create access key'.
Now, your access keys are generated. You can download the .csv file.
Alternatively, you can copy the 'Access Key' and 'Secret Access Key' to log in to the AWS CLI.
And thus, we have successfully created the Access Keys for our user.
The Final Curtain Call
IAM is your digital helper, deciding who gets access and what they can do inside AWS. By following some simple rules and understanding the different players (users, groups, roles, and policies), you're not only keeping things secure but also making it easy to manage. As you continue your journey into the world of AWS, remember, IAM is your reliable companion, making sure everything stays safe and sound. Happy cloud exploring!