IAM

Principals¶

Principal

• IAM entity that is allowed to interact with AWS resources
• Can be permanent/temporary
• Can represent human/application

Types

Authentication¶

• Users
  • Admin user = access to everything apart from billing
  • Power user = access to everything except IAM
• Multifactor
  • Root user can recover from lost second factor by verifying email address + phone number ownership
  • APIs can require it by adding condition statements (aws:MultiFactorAuthPresent, aws:MultiFactorAuthAge)
  • Doesn't work with federation

Authorization¶

Policies¶

Description

• JSON document that fully defines a set of permissions to access/manipulate AWS resources
• 1 policy contains 1+ permissions

Provenance

• AWS Managed Policies: Applied across multiple accounts
• Customer Managed Policies: Tied to a single AWS account
• Inline Policies: Directly attached to user

Types

Format

Features

Conditions

Policy Association (authz)¶

Description

• Handled in IAM by defining specific privileges in POLICIES & associating those policies with principals

Associating Policies with Principals

• Associate POLICY - IAM USER

USER Policy	exists only in the contest of the user
MANAGED Policy	exists independently of users & can be associated with many users/groups
GROUPS	simplify managing permissions for large number of users (teams)

• Associate POLICY - IAM GROUP

GROUP Policy	exists only in the contest of the group
MANAGED Policy	can also be associated with IAM groups

• ASSUMING A ROLE
  • Actor can be
    • Authenticated with IAM User (person/process)
    • Person/process authenticated by trusted external service (AWS service will assume the role on the actor's behalf & return a token to the actor)
  • After an actor has assumed a role, it is provided with a temporary security token associated with policies of that role

Policy Resolution

1. Request DENIED by default
2. Evaluate policies: if explicit DENY found → DENY
3. If NO explicit DENY & explicit ALLOW → ALLOW
4. If NO explicit ALLOW/DENY → default DENY
5. EXCEPTION = if an AssumeRole call includes a role and a policy, the policy cannot expand the privileges of the role (cannot override any permission denied by default in the role)

Federation¶

Description

• IAM Identity Providers (IDP) = provide ability to federate outside entities with IAM & assign privileges to those users
• IAM can integrate 2 types of outside IDP

WEB IDENTITIES	OIDC (OpenID Connect)
INTERNAL IDENTITIES	SAML (for AD, LDAP) ADFS (AD Federation Services) used to federate internal directory to IAM

Functioning

• Works by returning a temporary token associated with a role to the IDP
• Actual Role returned is determined via information received from IDP
  • Attributes of the user in the on-premises IDstore
  • Username & auth service of WEB IDstore

Security Token Service (STS)¶

Description

• Grants users limited and temporary access to AWS resources
• Can't be revoked, but you can revoke an IAM user if they created the temporary creds, which invalidates them

Users can come from 3 resources

Web identity federation¶

Description

• Lets you give your users access to AWS resources after they have authn with a web-based id provider (amazon, facebook, google)
• Following authn, the user receives an authn code from the web id provider, which they can trade for temporary AWS security credentials

Cognito

Description	Provides Web Identity Federation Provides temporary limited-privileged creds for both/unauth users Acts as an ID broker between app and web ID provider Recommended for all mobile apps AWS services
Functioning	After user is auth with provider, an OAUTH/OpenID token returned from the provider is passed by your app to Cognito, which returns a new Cognito ID for the user & a set of temp, limited-priv AWS creds You will be asked to create a new IAM role for end users Has impact on which AWS services they will be able to access By default access to: Cognito sync, mobile analytics
Identity Pools	Store of user identity info that is specific to your AWS account Mapping between federated user IDs and Cognito user IDs Enable you to create unique identities for your users and authn them with ID providers Assign IAM roles to user already authn with another IdP Grants temporary AWS creds (either directly from federation, or in exchange for a user pool token)
User Pools	User directories used to manage sign-up and sign-in functionality for mobile/web apps Process Users can sign-in directly to the User Pool, or indirectly via an id provider Cognito acts as an ID broker Successful authn generates JWTs

Organizations¶

Description

• Account management service which allows to consolidate multiple AWS accounts into an Organization that can be centrally managed
• Features
  • Centralized, consolidated billing
  • Organize your accounts into groups/OUs for access control
  • Attach policy based controls (Service Control Policies)

Service Control Policy

• Used to centrally control the use of AWS services across multiple accounts
  • Can be used to create a Permission Boundary
  • Restricting the actions the users/groups/roles in those accounts can do (including root)
• Features
  • The SCP applies to all OUs and accounts below the OU to which it is attached
  • SCPs can deny access only, they cannot allow