Introduction

Deloitte is an AWS Partner and a strategic global systems integrator. Thanks to its Alliance Program, I can receive training and support to get certificates. One of my 2023 resolutions is to get AWS certification.

Why AWS and why AWS certificates?

  • AWS is the leader in the cloud market which controls 33% of the entire market, followed by Azure with 21% and Google with 8%. (source from statista).
  • I am not a fan of certificates. But to get certificates does show your commitment and have more opportunities in bringing projects. As a result, it has a positive impact on employer branding.
  • Last year I could gain my first experience with AWS from projects. I learned AWS with the bottom-up approach. When I needed a specific service, I started to learn that component by reading official documentation and related tutorials. It was struggling and not certain if the chosen architecture is the right one. We ended up with much more time needed for the project. The AWS certificate preparation courses teach me in a top-down manner to provide a big picture. It prepares a solid foundation for AWS.

PS: It takes me much more time to summarize and write the topics than to learn it. The blog serves as a reference to my learning journey. I am not able to write down each point but try to provide an overview of each topic and its best practice. For exam preparation and details, I strongly recommend taking AWS certified Solutions Architect Associate Course. (There are different certificates which you can choose. I plan to complete the AWS associate solution architect certificate.)

AWS IAM

AWS Identify and Access Management (IAM) is a web service that controls access to AWS resources. You use IAM to manage users and permissions. IAM is a global service and does not require region selection.

Root User

When you register an AWS account, a root account is created by default. It is strongly recommended not to use the root user for everyday tasks. You should never share your root user credentials with anyone.

IAM User

IAM users are not separate accounts. They are users within your account. Users are people within an organization and can be grouped. For example, create an IAM user and assign it to the admin group, which has AdministratorAccess permission. You can have many IAM users as you like for different purposes. Create user groups to organize and manage permissions for users. A user can belong to multiple groups. User groups can contain only users, not other groups.

Multi Factor Authentication

Multi Factor Authentication (MFA) is the best practice for protecting your root user account. You need the password plus a security device you own. A security device will generate a code to log in.

There are virtual MFA apps like Twilio Authy, Microsoft authenticator, Google authenticator, or A physical device: Yubikey by Yubico.

IAM Roles and Policies

What is an IAM role? Different than IAM users, an IAM role is an AWS identity with permission policies that what the identity can and cannot do in AWS. IAM roles are to be assumed by authorized entities, such as IAM users, applications, or AWS services such as Lambda functions or S3. You can’t directly give an AWS service permission to do something, but instead, give permission to AWS services with IAM roles. Common roles we use are EC2 instance Roles, Lambda roles, and many more.

Policies can be attached to users, groups, or roles. Each policy is about a specific resource, which can be EC2 or EBS volume.

To create a role, the following steps are followed:
Step 1: Select a trusted entity (AWS service, AWS account, etc)
Step 2: Add permissions policies, for example, read-only access to IAM.
Step 3: Name, review, and create

Here we follow the principle of least privilege , which means don’t give more permissions than a user needs.

Auditing: IAM Security Tools

As soon as you started using several services, you will lose the overview of users, credentials, and status easily. To assist in auditing and compliance you can use credential reports and access advisor.

IAM Credential report (account level)

  • A report that lists all your account’s users and the status of their various credentials, including passwords, access keys, and a lot more.

IAM Access advisor (user-level)

  • Access advisor shows the service permissions granted to a user and when those services were last accessed. If some permissions are never used, you can remove those permissions.

Three Methods to Access AWS

AWS Management Console

The most common method is to use the management console. You can access and manage the AWS cloud with it.

Tip: Create an account alias so that when you need to sign in as an IAM user in the console, you don't need to remember the account ID (12 digits). The alias setting is on the right-up corner of the IAM page.

AWS CLI

The AWS Command Line Interface (CLI) provides programmatic pro You need to install AWS CLI. You can refer to all AWS CLI commands in the official documentation.

The following are some simple use cases for IAM.

# Check if aws is installed and its version 
aws --version

# Create a new configuration
aws configure

# List the configuration     
aws configure list

# Create group
aws iam create-group --group-name admin

# List all groups
aws iam list-groups

# Attach policy to group
aws iam attach-group-policy --group-name admin --policy-arn arn:aws:iam::aws:policy/AdministratorAccess

# List attached group policies 
aws iam list-attached-group-policies --group-name admin

# Create a user
aws iam create-user --user-name xia

# Add user to a group
aws iam add-user-to-group --user-name xia --group-name admin

# Create access key for a user
aws iam create-access-key --user-name xia

AWS SDK

AWS Software Development Kit (SDK) supports programming languages, like Java, C++, Python, and a lot more. Developers can build applications and manage AWS services.

IAM Best Practices

To sum up, AWS provides a lot of services. IAM is the first thing you need to understand to manage the permissions. 9 best practices are summarized:

  • Don’t use the root account except for AWS account setup
  • One physical user = One AWS user
  • Assign users to groups and assign permission to groups
  • Create a strong password policy
  • Use and enforce the use of Multi factor authentication (MFA)
  • Create and use roles for giving permissions to AWS services
  • Use Access keys for programmatic access (CLI / SDK)
  • Audit permissions of your account with the IAM Credentials report
  • Never share IAM users and access keys

Credential:

❤️ Please visit my home page to find more contents. I am happy to connect with you via LinkedIn.