Comprehensive Guide to AWS IAM: Users, Groups, Permissions, and Best Practices

Introduction to AWS IAM

AWS Identity and Access Management (IAM) is a service that allows you to manage access to your AWS resources securely. You can control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM is fundamental to AWS security and provides fine-grained access control to AWS services and resources.

1. IAM: Users and Groups

IAM Users

• Definition: An IAM user is an entity that you create in AWS to represent the person or service that uses it to interact with AWS. A user in IAM is not the same as a user in your organization.

• Use Cases: Users are often created for individuals or applications that need to access AWS services.

IAM Groups

• Definition: An IAM group is a collection of IAM users. You can attach policies to a group, and all users in that group inherit the permissions.

• Use Cases: Groups are useful when you want to grant the same set of permissions to multiple users, such as developers, admins, or QA engineers.

Task 1 : Creating IAM Users and Groups

1. Create Groups:

   • Developer

   • Quality Assurance

   • DevOps Administrator

2. Create Users:

   • Assign users to the appropriate groups.

   • For example, add user "Ali" to the Developer group.

2. IAM: Permissions

What are IAM Permissions?

• Definition: IAM permissions specify what actions users or services can perform on specific AWS resources.

• Structure: Permissions are defined using IAM policies, which are JSON documents that define the allowed or denied actions.

Example: Permissions Scenario

• Who: Ali

• What Action: Can GET/PUT object in S3

• Which AWS Resource: Bucket=”*”

• When: Until Dec 31, 2025

• Where: From IP range 123.456.789.012

• How: If using MFA

3. IAM Policies Structure

Understanding IAM Policies

• Policy Document: IAM policies are written in JSON format and consist of elements like Version, Statement, Effect, Action, Resource, and Condition.

Policy Structure Example

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*",
      "Condition": {
        "DateLessThan": {
          "aws:CurrentTime": "2025-12-31T23:59:59Z"
        },
        "IpAddress": {
          "aws:SourceIp": "123.456.789.012"
        },
        "Bool": {
          "aws:MultiFactorAuthPresent": "true"
        }
      }
    }
  ]
}

4. IAM Policy Evaluation Logic

How IAM Evaluates Policies

• Default Deny: By default, all requests are denied.

• Explicit Allow: An explicit allow in a policy overrides the default deny.

• Explicit Deny: An explicit deny in any policy overrides any allows.

• 

  Example Scenarios

  To make this clear, let’s go through a couple of example scenarios.

  Scenario 1: Simple Allow and Deny

  • User: Sarah

  • Action: Wants to read objects from an S3 bucket.

  • Policies:

    • Identity-based Policy:

        jsonCopy code{
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "s3:GetObject",
              "Resource": "arn:aws:s3:::my-bucket/*"
            }
          ]
        }
      

    • Resource-based Policy:

        jsonCopy code{
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Deny",
              "Action": "s3:GetObject",
              "Principal": "*",
              "Resource": "arn:aws:s3:::my-bucket/secret/*"
            }
          ]
        }
      

  • Evaluation:

    1. Default Deny: Initially, the request is denied.

    2. Evaluate Policies: IAM finds an allow policy for s3:GetObject on the bucket, but also finds a deny policy for objects within the secret folder.

    3. Explicit Deny: Since the resource-based policy explicitly denies access to objects in the secret folder, any request for those objects is denied.

    4. Explicit Allow: If Sarah requests access to objects outside the secret folder, the allow policy grants her access.

  • Result: Sarah can access objects in my-bucket/* except for those in my-bucket/secret/*.

Scenario 2: Service Control Policy (SCP) Impact

• Account: Part of an AWS Organization with an SCP.

• SCP:

    jsonCopy code{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Deny",
          "Action": "ec2:TerminateInstances",
          "Resource": "*"
        }
      ]
    }
  

• User: John

• Action: Wants to terminate an EC2 instance.

• Identity-based Policy: Allows terminating EC2 instances.

• Evaluation:

  1. Default Deny: The request starts as denied.

  2. Evaluate Policies: The identity-based policy allows John to terminate EC2 instances, but the SCP denies this action.

  3. Explicit Deny: The SCP denies the action, overriding the identity-based allow.

• Result: John’s request to terminate the EC2 instance is denied.

5. IAM Password Policy

Setting Up a Password Policy

• Definition: A password policy allows you to enforce password strength requirements, such as minimum length, character complexity, and expiration periods.

• Best Practices: Use complex passwords, enforce regular password changes, and use MFA.

• 

6. Multi-Factor Authentication (MFA)

What is MFA?

• Definition: Multi-Factor Authentication adds an extra layer of security by requiring users to provide two or more verification factors to gain access.

• How It Works: Typically, users need to provide something they know (password) and something they have (MFA device).

7. MFA Devices Options in AWS

Types of MFA Devices

• Virtual MFA Devices: Apps like Google Authenticator.

• Hardware MFA Devices: Physical devices like YubiKey.

• SMS MFA: Authentication via text message (less secure).

8. How Can Users Access AWS?

Access Methods

• AWS Management Console: Web-based interface.

• AWS CLI: Command-line interface for scripting and automation.

• AWS SDKs: Software Development Kits for programming languages.

• IAM Roles: For services to assume roles and gain permissions.

9. What’s the AWS CLI?

Definition and Use

• Definition: AWS Command Line Interface (CLI) is a tool to manage AWS services via command-line commands.

• Use Cases: Automating tasks, scripting, and bulk operations.

10. What’s the AWS SDK?

Definition and Use

• Definition: AWS Software Development Kits (SDKs) provide APIs for interacting with AWS services using programming languages like Python, JavaScript, Java, etc.

• Use Cases: Integrating AWS services into your applications.

11. IAM Roles for Services

What are IAM Roles?

• Definition: An IAM role is an IAM identity that you can create in your account with specific permissions. Roles are meant to be assumed by trusted entities, such as IAM users, applications, or AWS services.

• Use Cases: Allowing EC2 instances to access S3 buckets, enabling Lambda functions to access DynamoDB, etc.

12. IAM Security Tools

Security Tools Overview

• IAM Access Analyzer: Identifies resources shared with external entities.

• IAM Credential Report: Provides a report of the status of the IAM credentials.

• AWS CloudTrail: Logs all API calls, enabling auditing and monitoring.

13. IAM Guidelines & Best Practices

Best Practices for Using IAM

• Principle of Least Privilege: Grant only the permissions necessary for users to perform their tasks.

• Use IAM Roles Instead of Root: Never use the root account for day-to-day activities.

• Enable MFA for All Users: Protect your AWS environment by enabling MFA.

• Rotate Credentials Regularly: Regularly update and rotate access keys and passwords.

• Monitor and Audit: Use CloudTrail and IAM Access Analyzer to monitor and audit permissions and access.

Conclusion

AWS IAM is a powerful and flexible tool for managing access to AWS resources. By understanding IAM users, groups, policies, and best practices, you can ensure that your AWS environment remains secure and well-organized. Implementing strong IAM policies and enforcing security measures like MFA are crucial steps in safeguarding your cloud infrastructure.