AWS IAM

From Cramsession
Jump to navigationJump to search
✍️ Verified Author: MflavellClick to view professional profile & credentials

Study Guides > AWS Cybersecurity Notes > AWS IAM

IAM Introduction

  • Polices rule books
  • These define what actions are allowed and denied on resources.


IAM Supports MFA and Federation.


Common terms:

  • Resources - Something inside the AWS account.
  • Enteritis - Can be an IAM user or federated user.
  • Identities - Used to identify who id doing something. These are users, groups and roles.


IAM Authentication Methods

  • Username and Password
  • Access Key and secret key
  • Session token


Best Practices

  • Humans should access AWS using an IDP - provides access with temporary credentials.
  • Workloads use temporary credentials
  • Require MFA
  • Don't use root credentials for everyday tasks.
  • Apply least privilege.
  • Use AWS managed polices when possible.
  • Use AWS access manager to generate least privilege polices
  • Perform a regular review of IAM.
  • Use conditions to restrict access.
  • Set permission guardrails.
  • Use permission boundaries.


Root account

  • Risks often arrise from root account creditials.
  • Improper storage of credientals (eg a text file)
  • Once efiltrated the person with the credientals has full access.
  • It is best not to use the root account for daily activities.
  • Create another account that has admin rights.


Users groups and Roles

  • Users - Individual identities.
  • Roles = provide temporary permissions.
  • Useful for temporary access to services
  • Groups - Logical collections of users.
  • Simplify permission management.


Security Token Service

This is a trusted intermediary that issues temporary security credentials.

  • Allows the implementation of least privilege.
  • Credentials can expire after a set period.
  • Can integrate with external IDPs.
  • Scales easily.


IAM Identity Center

This simplifies permissions across multiple AWS accounts.

  • AWS apps can seamlessly integrate into Identity center.
  • Creates an SSO experience.


Mitigation of issues

  • Create a policy to rotate keys every 90 days.
    • Two sets of keys can be assigned per user.
    • This allows for overlap - use of old key for a short period.


  • Use GIT secrets
    • Prevents secret access keys from been added to code.
    • Secrets are flagged before been pused to GIT repo.
    • Enables the secret to be removed and stored in AWS Secrets manager by the developer.
Retrieved from "https://cramsession.net/index.php?title=AWS_IAM&oldid=1345"