[go: up one dir, main page]

DEV Community

Timileyin Ikumapayi
Timileyin Ikumapayi

Posted on

Cloud Security with AWS IAM

What is AWS IAM?

AWS IAM (Identity and Access Management) is a service to securely manage access to AWS resources. It enables user, group, and role management with fine-grained permissions, MFA, and federated access. IAM ensures security, scalability, and compliance.

How I’m using AWS IAM in this project
I used AWS IAM to create a user so a new user can use our account to work on the services set in the Policy.

One thing I didn’t expect…

It is a good project, a little tasking

This project took me…

I spent over an hour on this project

Launching EC2 Instance

I launched two instances, one for development and the other for production.

Launch Instance

Instance Launch

Tags

Tags are like labels you can attach to AWS resources for organization This tagging helps us with identifying all resources with the same tag at once (they are useful filters when you’re searching for something), cost allocation, and applying policies

The tag I’ve used on my EC2 instances is called Env (short for Environment). The value I’ve assigned for my instances I called it Development and Production

IAM Policies
An IAM policy is a rule for who can do what with your AWS resources. It’s all about giving permissions to IAM users, groups, or roles, saying what they can or can’t do on certain resources, and when those rules kick in.

The policy I set up
For this project, I set up a policy using JSON on the AWS management console.

I created a policy that allows all actions that you could possibly take on EC2 instances!

When creating a JSON policy, you have to define its Effect, Action and Resource.

The attributes of a JSON policy are

Effect: to indicate whether the policy allows or denies a certain action.

Action: A list of the actions that the policy allows or denies.

Resource: Which resources does this policy apply to.

JSON Policy

My JSON Policy

JSON Policy

Account Alias
An account alias is a friendly name for your AWS account that you can use instead of your account ID (which is usually a bunch of digits) to sign in to the AWS Management Console.

Creating an account alias took me about 10–15 mins… Now, my new AWS console sign-in URL is https://alias-timi.signin.aws.amazon.com/console

Account alias

Account alias

IAM Users and User Groups

Users
IAM users are the people that will get access to your resources or AWS account, whereas user groups are the collections or folders of users for easier user management.

User Groups
An IAM user group is a collection or folder of IAM users. It allows you to manage permissions for all the users in your group at the same time by attaching policies to the group rather than individual users.

I attached the policy I created to this user group, which means that all users in the group will have the permissions set in the policy.

user policy

user group

Logging in as an IAM User
The first way is to download the .csv file contain the sign-in URL, username and console password. The second way is to send the Email sign-in instructions, or just do it manually like an old person and share the details.

Once I logged in as a new IAM user, I noticed I do not have access to other services apart from the EC2 instances. This is because I did not give the user access to it in the policy created in the user group.

IAM user logIn

Testing IAM Policies
I tested my JSON IAM policy by trying to stop both instances, I was able to stop only the development instance cause that is the one I have access to as specified in the JSON policy and not the production instance.

Stopping the production instance
When I tried to stop the production instance there was an big error. This was because we’re not authorized! We don’t have permission to stop any instance with the production tag.

Stopping Instance failure

Testing IAM Policies
Stopping the development instance
Next, when I tried to stop the development instance I was success and it stopped without any issue. This was because in the policy attached to the user group specifically allows all access to the development instance.

Stopping instance success

Remember to delete all resources so as to avoid being charged at the end of the month

Top comments (0)