Beginner's Guide to Cloud Security: Understanding AWS IAM

Securing cloud resources is essential for any organization, and Amazon Web Services (AWS) offers a comprehensive Identity and Access Management (IAM) service that plays a critical role in managing access to AWS resources. AWS IAM enables administrators to define who can access specific resources, under what conditions, and to what extent. By effectively utilizing IAM, organizations can implement security policies that align with compliance and governance requirements while ensuring users have the appropriate permissions to perform their tasks without compromising sensitive data.

AWS IAM is not just about authentication and authorization; it also provides essential tools for monitoring and auditing access patterns, ensuring that organizations maintain a secure environment. This article will delve into the key components of AWS IAM, highlighting its features and best practices to enhance cloud security.

Key Components of AWS IAM

1. Users in AWS IAM are individual identities that can log in to AWS and access resources, with each user receiving specific permissions according to their roles within the organization.

2. Groups are collections of users, and by assigning permissions to a group, administrators can efficiently manage access for multiple users, simplifying permission management.

3. Roles in AWS IAM are like users but are meant for AWS services or applications, allowing them to temporarily assume permissions for secure interactions between AWS resources.

4. Policies are documents that define permissions and are attached to users, groups, or roles to specify allowed or denied actions on resources, and they can be managed (AWS-managed or customer-managed) or inline.

5. Multi-Factor Authentication (MFA) enhances security by requiring users to provide multiple verification factors to access AWS resources, greatly reducing the risk of unauthorized access.

6. Access keys made up of an access key ID and a secret access key, enable programmatic access to AWS services through the AWS CLI or SDKs, and their proper management is essential for security.

7. Identity Federation allows users to access AWS resources with credentials from external identity providers like corporate directories or social media accounts.

8. CloudTrail Integration is used to log API calls, to help organizations track user activity, monitor changes, and meet audit requirements.

9. IAM Access Analyzer helps administrators identify and refine security by showing which resources can be accessed from outside an account.

10. Service Control Policies (SCPs) in AWS Organizations manage permissions across multiple accounts, enforcing security and compliance policies.

Project overview

In this project, our primary objective is to utilize AWS Identity and Access Management (IAM) to establish secure access controls for our cloud resources.We will set up two EC2 instances and use effective tagging strategies to improve resource organization and management. By assigning specific tags to each instance, we can better track and allocate costs while maintaining strong security through IAM policies. This hands-on project will give us valuable insights into best practices for identity and access management, ensuring that cloud resources are both secure and efficiently managed.

Step 1: create EC2 instances

In this step, we will create Amazon EC2 (Elastic Compute Cloud) instances, which are scalable virtual servers that enable you to run applications in the cloud. EC2 instances offer flexibility, allowing you to choose various configurations based on your computing needs, including different operating systems and instance types optimized for specific workloads. Let’s get started..

1. Navigate to EC2 Service:

   • Access the AWS Management Console and log in with your credentials.

   • Search for EC2 service in search bar and click on it.

2. Launch a New Instance:

   • Click the Launch Instance button in the EC2 dashboard to create new instances.

3. Set Instance Name and Tags

   • In the Name and Tags section, set the name for your instance to something unique, like "access_production_yourname" (since instance names must be globally unique).

• To add tags, click on Add Tag and set:

  • Key: Env

  • Value: production

  • Adding descriptive tags helps in organizing and identifying your instances easily.

4. Choose an Amazon Machine Image (AMI):

   • Ensure that you select an Amazon Machine Image (AMI) eligible for the Free Tier to avoid unnecessary costs.

   • A good option is Amazon Linux 2 AMI (Free Tier eligible).

     

5. Proceed Without a Key Pair:

   • In the Key Pair section, choose Proceed without a key pair. (Note: This is generally not recommended, as without a key pair, you won’t be able to SSH into the instance unless you use another method for access.)

6. Select Instance Type:

   • Choose t2.micro (Free Tier eligible) as your instance type.

7. Launch Your Instance:

   • leave everything else to default.

   • Review all settings, and once everything looks good, click Launch Instance to create your EC2 instance.

• Now click on the lanunch instance.

8. Now follow above steps and create an another instance. With below details:

   • Name: access_development_yourname

   • tag name: Env

   • tag Value: development

Step 2: Creating IAM policy

In this step, we will define an IAM policy, which is a set of permissions that determines what actions are allowed or denied for specific AWS resources. IAM policies are written in JSON format and can be attached to IAM users, groups, or roles to manage access control effectively. By creating and applying IAM policies, you can enforce security best practices and ensure that users have the appropriate level of access to perform their tasks. Let’s move forward.

1. Navigate to Policies:

   • Navigate to the IAM (Identity and Access Management) service.

   • In the left-hand navigation pane, click on Policies.

2. Create a New Policy:

   • At the top of the Policies page, click on Create policy to start building a new policy.

3. Switch to JSON Editor:

   • In the policy creation screen, switch to the JSON tab for direct code input.

   • Important: Delete all existing code from the editor before proceeding.

       {    
         "Version": "2012-10-17",    
         "Statement": [        
           {            
             "Effect": "Allow",            
             "Action": "ec2:*",            
             "Resource": "*",            
             "Condition": {                
               "StringEquals": {                    
                 "ec2:ResourceTag/Env": "development"                
               }            
             }        
             // Allows all EC2 actions, but only on resources tagged with Env=development.
           },        
           {            
             "Effect": "Allow",            
             "Action": "ec2:Describe*",            
             "Resource": "*"        
             // Allows read-only describe actions on all EC2 resources.
           },        
           {            
             "Effect": "Deny",            
             "Action": [                
               "ec2:DeleteTags",                
               "ec2:CreateTags"            
             ],            
             "Resource": "*"        
             // Denies tag creation and deletion on all EC2 resources.
           }    
         ] 
       }
     

• Copy the provided policy (or your desired policy) and paste it into the JSON editor.

  

4. Review and Customize the Policy:

   • Once you're satisfied with the policy, click Next to move to the next step.

   • Add Policy Details:

     • Fill in the policy's details:

       Name: DevEnvironmentPolicy

       Description: IAM Policy for project's development environment

5. Create the Policy:

   • Review the information carefully.

   • When you're ready, click Create policy to complete the process.

6. You have sucessfully created the IAM policy.

Step 3: Create an AWS Account Alias

In this step, we will create an account alias, which is a user-friendly name for your AWS account that simplifies the login process. By setting up an alias, you can replace the default AWS account ID in the sign-in URL with a more recognizable name, making it easier to access your account. This feature enhances usability and helps improve the overall user experience when managing your AWS resources. Let’s proceed.

1. In the Account Alias section on the right side of the IAM dashboard, click on Create.

   

2. In the Preferred alias field, type account-alias-yourname, replacing yourname with your preferred name.

   

3. After entering the alias, click Create alias to confirm and apply it.

Step 4: creating IAM User group

In this step, we will create an IAM user group, which is a collection of IAM users that share the same permissions. User groups simplify the management of permissions by allowing you to assign policies to the group rather than individually to each user. This approach streamlines access control, ensuring that users within the group have consistent permissions to AWS resources.

1. In the left-hand navigation panel, select User groups.

2. Click on Create group to initiate the setup for your first user group.

3. Configure the User Group:

   • Name: Enter dev-group as the name for your user group.

   • Attach Permission Policies: Select DevEnvironmentPolicy from the list of available policies.

4. Click on Create user group.

5. You’ll see a success message confirming the creation of your user group. Now, let's proceed to add users to this group.

   

Step 5: Create a new user

In this step, we will create IAM users, which are unique identities within your AWS account that allow individuals or applications to securely access AWS resources. IAM users can have specific permissions assigned to them through policies, enabling granular control over what actions they can perform and which resources they can access. By creating IAM users, we can effectively manage access and enhance security in our AWS environment.

1. Create a New User:

   • Select Users from the left-hand navigation panel, then click Create user to set up your new user account.

   • In the User name field, enter dev-yourname (replace "yourname" with your actual name).

     

   • Select “I want to create an IAM user” option.

   • Under console password,section select autogenerated password.

   • Uncheck the option for Users must create a new password at next sign-in - Recommended.

     

2. Assign Permissions:

   • To grant permissions to the user, select the checkbox next to the user group you previously created, dev-group.

   • Click Next to continue.

3. Create the User:

   • Finally, click Create user.

   • You’ll see a success message along with the sign-in details for your new user. Keep this page open for reference.

   • Remember to save this login details.

     

Step 6: Test your user's access

1. Sign In as the New IAM User

   • Copy the Console Sign-in URL: From the IAM tab, copy the Console sign-in URL for your newly created user.

   • Open an Incognito Window:

     • In your web browser, open a new incognito or private browsing window.

     • Access the Console Sign-in URL: Paste the copied URL into the incognito window.

     • Use the User name and Console password provided in your IAM tab to log in.

       

2. Navigate to the EC2 Console:

   • Make sure you are in the same Region where your production and development instances are deployed.

   • Click on the Instances link in the left-hand navigation pane.

     

   • The dashboard panel, shows the access denied already for different regions.

3. Test Access on Production Instance

   • Find your production instance in the list and select it.

   • Click on the Actions dropdown.

   • Select Instance State > Manage instance state.

   • Choose the Stop option and click on Change state.

   • Confirm by selecting Stop.

     

4. An error message will appear at the top of the page indicating that you are not authorized to stop this instance. This is expected as the IAM policy restricts permissions on production instances.

   

5. Next, let’s proceed with changing the state of your development instances. Follow the same steps as outlined above: select your development instance and attempt to modify its state.

   

• It should work, as the policy does not restrict state changes for instances tagged with 'development’.

  

Remember to delete all the resources you created to avoid being billed.

Congratulations! 🎉 You’ve successfully created your own IAM policies and implemented key components of AWS Identity and Access Management. By focusing on IAM, you’ve improved the security and compliance of your cloud environment. Visit the network.org platform for more interesting projects and continue learning. Stay tuned for our upcoming articles in the AWS series.