Should You Use Identity And Access Management (IAM) In AWS?
Security of your AWS cloud environment is a shared responsibility between you and AWS. While AWS does offer a number of built-in security tools to protect your data and cloud infrastructure, it is your responsibility to properly implement and configure those tools. Effective implementation of the security controls that are consistent with your business and security requirements is, therefore, critical for ensuring the security of your cloud deployments.
This blog post talks about one such security tool offered by AWS, Identity And Access Management. We will describe how it works, its features, and its benefits.
What is Identity And Access Management (IAM)?
Identity and access management, commonly known as IAM, is a system that provides the right users with the right access to the right IT resources. It helps in identifying, authenticating, and authorizing access to resources in a secure manner and therefore is a foundational security process, especially for cloud environments.
How Does AWS IAM Work?
The IAM offered by AWS is a web service that helps your organization secure access to AWS resources by allowing you to control who can sign in and has permission to use company resources. It provides the infrastructure necessary to control authentication and authorization for your AWS account.
Here’s how it works:
1. Authentication
When a user or application tries to perform an action on an AWS resource, a request is first sent to AWS.
Although there are some exceptions, the users sending the request usually need to be signed in to AWS using their credentials, i.e. account ID or alias, and your user name and password. And when using the API or AWS Command Line Interface, you will need your access key and secret key.
Where enabled, you will also need to provide additional security information such as multi-factor authentication (MFA) code.
AWS gathers the request information to evaluate the authenticity and authorization of the request. The request contains the following information:
The actions that the user wants to perform.
The AWS resource upon which the actions are to be performed.
Information about the user who made the request, such as the associated roles and policies.
Information such as the IP address, timestamp, user agent, SSL enabled status, etc.
Information related to the resource being requested, such as the database table name, EC2 instance, etc.
2. Authorization
In this step, AWS uses values from the request information to check for policies that apply to the request. The policies will determine whether the request is allowed or denied. The policies are usually stored in AWS and specify the permissions for users and applications.
AWS follows a “deny by default” policy, which means that your request is authorized only if each and every part of it is allowed by the applicable permissions policies. If a single part of the request violates applicable policies, the entire request is denied.
3. Action
AWS approves the actions in your request only after your request has been authenticated and authorized.
A user or application is allowed to perform only those actions or operations that are included in the policies governing that user or application. The actions include what you can do to an AWS resource such as view, create, edit, and delete.
The approved actions or operations included in your request are then performed on the related resources within your account.
What Are The Features Of AWS IAM?
The AWS IAM, which is offered at no additional cost, has a number of features. Here’s a list of those features:
1. Shared Access
The AWS IAM allows you to grant permission to administer and use resources in your AWS account with other users without having to share your password or access key.
2. Granular Permissions
It enables you to give different permissions for different resources to different users. For example, you may give some users complete access to all of your AWS services, while to others, you may give read-only access to a few S3 buckets, or some EC2 instances,
3. Secure Access To AWS Resources For Applications
Applications that run on Amazon EC2 instances need permission to access other AWS resources such as S3 buckets, DynamoDB tables, etc. Using AWS IAM you can provide credentials for applications that run on EC2 instances in a secure manner.
4. Multi-Factor Authentication (MFA)
AWS IAM allows you to add two-factor authentication to your account and to individual users, adding an extra layer of security to your cloud infrastructure.
5. Identity Federation
In a similar way as single-sign-on (SSO), the AWS IAM allows you to grant users temporary access to your AWS account via other trusted sources such as your corporate network or internet identity provider.
5. Identity Information For Assurance
Users of AWS CloudTrail receive log records based on IAM identities. The logs include information about requests for resources made in your account. This information is beneficial for monitoring and audits.
6. PCI DSS Compliance
AWS IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).
What Are The Benefits Of Using AWS IAM?
AWS IAM offers a number of benefits, including the following:
You get an integrated access control across all AWS services.
Granular access control to AWS services, resources, actions, and operations.
Cross-service API logging, via AWS CloudTrail for audit and security.
Extensive integration with other AWS services.
Federated access to your AWS account.
Access control for mobile applications.
Conclusion
Identity and access management (IAM) is an important security tool that is a must for any cloud-based infrastructure, such as AWS since it is directly accessible from the public Internet. IAM allows you to manage access and permissions, which is essential for minimizing the potential of a data breach and cloud-related security incidents.
Managing access to AWS cloud instances is especially important because if an attacker gains access to say an organization’s EC2 instance, they can easily access sensitive data, introduce malicious applications, or run resource-draining applications such as cryptocurrency mining, wasting your organization’s leased computing resources and costing huge sums of money.
In our next blog post, we will go further into the subject, focussing on how to get started with AWS IAM.
Are you looking for help with the management of your cloud deployments? Reach out to us by clicking the button below to learn how we can help you with your AWS security and management needs.