Whizlabs BlogKnowledge Hub for Project Managers & Tech Geeks
AWS Certification : AWS Identity and Access Management (IAM)
We have launched AWS Certified Solutions Architect Associate certification exam which is the basic level of AWS certifications. As part of training AWS certification topics, we have started writing important topics that are useful for preparing for the aws certification exams. In this articles, we are writing about AWS CloudTrail logs, these topics are part of the security in Amazon Web Services (AWS). Here is the snapshot of the exam blueprint.
This topic addresses the Data Security topic as highlighted in the AWS Blueprint for the exam guide.
The Identity and Access Management feature which is IAM for short is a security mechanism which is designed to provide access to resources on aws to users.
What is IAM and what are its features?
As mentioned in the Exam Objective, IAM or Identity and Access Management allows one to define users to have access to resources in aws.
Some of the key features of IAM are given below
- Ability to define users who would have their own access to resources – You can define users and groups which can be given selective access to resources. So you could give users access to only see the EC2 instances, but not create any new ones. You can give access to users to only access the S3 service. So there are multiple ways in which IAM can be used to provide access to resources in aws.
- Ability to create Policies – Access to specific resources can be segregated as Policies which can be applied to a set of users or resources. For example, you can secure what resources your EC2 instances can access by creating a separate policy for EC2 instances.
- Identity federation – You can have users who have passwords stored elsewhere to log into AWS. For example, you can have users defined in your on-premise location to have access to resources in AWS.
- IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider. This is a measure which is compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
- There is no additional charge with using IAM.
The below diagram shows the simplistic scenario where an Admin user would access the resources in an AWS account using IAM.
One can work with IAM in anyone of the following ways
- The AWS management console – When one goes to the console, one can go to the Security Dashboard and see the various options for Security Credentials. Here one can create Groups, Users, Policies, Roles and work with other security settings.
- AWS Command line tools – One can download and install the command line interface tools for AWS. More information on the CLI tools can be found in this link.
Once you download the CLI and install it, you can use the command prompt to configure the CLI as shown below. Once configured, you can use various commands using the CLI.
One you configure the AWS CLI, you can issue various commands. One example is give below which is to describe all the EC2 instances via the ec2 describe-instances command. This will give the output as JSON.
- AWS SDK – You can use the development kits available from AWS for various programming languages for .Net and Java to work with IAM. For more information on the various SDK’s available , please visit the site here.
Operations in IAM
Now let’s look at some of the operations we can perform in IAM
- Making sure your security status is green overall. The first key point in IAM is to ensure that the overall status of your IAM configuration is green. When you log into IAM, the dashboard will give you 5 points that must be addressed as shown below. Ensure that each point is addressed separately.
- Creating users – This can be done by going to the users section and clicking on the “Add user” button.
You will then be provided a wizard to enter the user details and set the permissions of the user accordingly in the various screens given below.
Screen 1 – User definition
Screen 2 – Permissions Screen
Here you need to assign the relevant permissions to the user.
Screen 3 – Review Screen
The next screen is the review screen. Once you are ok with settings, you can use this screen to confirm the creation of the user.
Once the user has been created, you will get a Success message and a url which will be used to log into the console.
In the new URL, the user will be presented with a different log in screen to sign in as shown below.
Once the user has logged in, they will access to only those resources they are authorized to use.
- Defining Roles – Roles are used to give a set of permissions to users or resources. Let’s take an example where we need to create a role for an EC2 instance which can be used to publish updates to S3. We can do this in the following way –
- Click on Create New Role in the Roles screen
- Give a name to the Role
- Since we need to give a role to an EC2 instance , choose on Select for Amazon EC2
- Attach a policy. Since we need to provide S3 Full Access, let’s choose the “AmazonS3FullAccess” Policy.
- Once the role has been confirmed, you can confirm on the role in the final screen.Now this role can be attached to various EC2 instances that need to access the S3 resource.
- Getting the Secret Access Keys – In order to use the AWS CLI or use the SDK, you need to have the Access keys. The password for the user is only used to login into the console. But in order to use the CLI or SDK, you need to use the Access keys. For this , you can go to the defined user , go to the Security credentials tab and then click on Create access key.
You will then be prompted to download the Access Key ID and the Secret Access Key. Please download these and keep it in a safe place. Both of these keys are required to log into either the AWS CLI or the SDK.
AWS Certification Points to Remember about IAM
- IAM does support a wide variety of credentials mechanisms such as Access keys, X.509 Certificates, SSH keys, password for web applications or a Multi-Factor authentication device.
- The users defined in IAM are defined at a global level and not at a region level.
- It is possible to have password policies in IAM. So you can define a password rotation policy in IAM for users. This is in alignment with the worldwide security standards.
- IAM has a policy simulator which can help you test and validate policies.
- One can log all IAM users’ actions via the Cloud Trail service.
We have learnt about the IAM in AWS and how to configure it. There are many other features that are useful for managing your business. If you have any questions about the IAM, please write it in the comments section.
It is important to practice more number of questions for preparing for the solutions architect certification exam. We have prepared 300+ high quality questions that covers all the exam objectives and provides explanation for all the option given for the question. This would help you to improve our confidence on the exam before you are taking the real exam.
- 300+ Practice Questions for Solutions Architect Associate Exam
- How to prepare for solutions architect associate exam?
If you are looking for any technical support like more explanation on each questions or clarifications, we have a dedicated support for Amazon Web Services (AWS) to answer all your queries. You can drop us a mail at firstname.lastname@example.org with your queries. We would respond to your questions within 12 hours of time.
Good luck for your exam preparation!!