IAM

Principals

Principal

• IAM entity that is allowed to interact with AWS resources
• Can be permanent/temporary
• Can represent human/application

Type	Description
ROOT USER	Complete access to the account
IAM USERS	Persistent entities representing people/apps IAM Groups Can be used to manage users with similar permissions requirements When you add IAM users to a group, they inherit the group's permissions An IAM group is not an identity because it cannot be referred to as a Principal when you're setting up permission policies
ROLES	Roles are used to grant specific PRIVILEGES to specific ACTORS for a SET DURATION OF TIME When actor assumes a role → AWS gives him a temporary security token from STS (Security Token Service) Expiration needs to be specified when requesting an STS token (15mins to 36h, default 1h) Actors can be authenticated against AWS or some trusted external service Use Cases Federated (non-AWS) user access (see below) Cross-Account Access: setup roles to provide users who have permissions in one account to access resources under another account SAML 2.0 Create trust between your org Identity Provider (IdP) & other orgs as Service Providers Configure AWS as the Service Provider & use SAML to provide users with federated SSO to AWS Console EC2 Roles (grant permissions to apps running on EC2) → no fixed access key that must be rotated

---

Authentication

Type	Description
Username/Password	Human principals
Access Key	Application principals ACCESS KEY ID (20chars) + ACCESS SECRET KEY (40chars)
Access Key with Session Token	Process operating under an assumed role TEMPORARY TOKEN = ACCESS KEY (2 parts) + SESSION TOKEN

• Users
  • Admin user = access to everything apart from billing
  • Power user = access to everything except IAM
• Multifactor
  • Root user can recover from lost second factor by verifying email address + phone number ownership
  • APIs can require it by adding condition statements (aws:MultiFactorAuthPresent, aws:MultiFactorAuthAge)
  • Doesn't work with federation

---

Authorization

Policies

• JSON document that fully defines a set of permissions to access/manipulate AWS resources
• 1 policy contains 1+ permissions

Provenance

Provenance	Description
AWS Managed Policies	Provided and managed by AWS
Customer Managed Policies	Tied to a single AWS account
Inline Policies	Directly attached to the entity

Types

Identity-based policies (IAM policies)	Attached to a user/group/role (implicit Principal) Limit of 10 managed policies can be attached
Resource-based policies	Allows to directly attach permissions to AWS resources Also allows you to specify who has access to that resource even if it does not have an explicit identity-based policy that says so Characteristics Specifies a Principal (no IAM Groups) Can't be managed policies (always inline) Not actually IAM policies at all (just use the same policy language) Examples: Organizations (SCP), S3, API Gateway, Lambda, KMS, SNS, SQS, SES

Format

Component	Description
VERSION	Version of the policy language The latest version is 2012-10-17
STATEMENT	Contains the remaining elements of the policy
SID (Optional)	An identifier used to differentiate statements
EFFECT	Allow/Deny
PRINCIPAL	Only when defining resource-based policies (in identity-based policies, the principal is implicit) Defines which principal is affected by that specific statement
ACTION	List of methods the policy allows/denies
RESOURCE	Only when you're defining identity-based policies Specific ARN for which the permission apply: ARN:AWS:SERVICE:REGION:ACCOUNT-ID:[RECSOURCE-TYPE:]RESOURCE
SERVICE (optional)	For which the permission apply
CONDITION (optional)	Sdditional restrictions that limit the actions allowed (e.g., specify IP range/time interval)

Sample S3 read-only JSON policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

Additional Limits

Permissions boundaries	Define the maximum permissions that an identity-based policy can grant to an IAM entity The boundaries assigned to the user or role do not give them permissions, but rather define the limits of the permissions attached to them Unlike SCPs, can specify resources and use conditions
Service Control Policies (SCPs)	See Organizations
Session policies	Like a permission boundary, optionally passed programmatically as part of AssumeRole

Sample Permission Boundary: Restrict Administrator Policy

• Permission boundary:

  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "SID": "AllowAmazonS3AccessOnly",
            "Effect": "Allow",
            "Action": ["s3:*"],
            "Resource": "*"
        }
    ]
  }
  

• Although the user has a permission policy that gives administrator access, if he tries to access any other resources or services besides S3, it fails due to the permissions boundary assigned to him

Conditions

Operators	Operators are in AND, multiple values in an operator are in OR
Sources	time, MFA, secure transport, user agent aws:source{Vpc,Vpce (endpoint),Account,Arn,Ip}
Principals	aws:PrincipalOrgID (instead of listing lots of accounts, just use the Org) aws:PrincipalTag/ aws:PrincipalType aws:userid, aws:username
NotAction	Matches everything except the list of actions
(Not)Principal	AWS - users, roles, accounts Federated (no info on the role) Service (in trust policies) AWS:* (IAM identities, not services)

Policy Association (authz)

Handled in IAM by defining specific privileges in POLICIES & associating those policies with principals

Associate POLICY - IAM USER

USER Policy	exists only in the contest of the user
MANAGED Policy	exists independently of users & can be associated with many users/groups
GROUPS	simplify managing permissions for large number of users (teams)

Associate POLICY - IAM GROUP

GROUP Policy	exists only in the contest of the group
MANAGED Policy	can also be associated with IAM groups

ASSUMING A ROLE

• Actor can be
  • Authenticated with IAM User (person/process)
  • Person/process authenticated by trusted external service (AWS service will assume the role on the actor's behalf & return a token to the actor)
• After an actor has assumed a role, it is provided with a temporary security token associated with policies of that role

• Each IAM role has 2 policies:

  Policy	Description
  Permission Policy	Specifies what the role allows someone to do
  Trust Policy	Specifies who can assume the role

Grant access to a 3^rd party Account

    "Principal": {"AWS": "3rd party AWS account ID"},
    "Condition": {"StringEquals": {"sts:ExternalId": "Unique ID Assigned by 3rd party"}}

Policy Resolution

1. Request DENIED by default
2. Evaluate policies: if explicit DENY found → DENY
3. If NO explicit DENY & explicit ALLOW → ALLOW
4. If NO explicit ALLOW/DENY → default DENY
5. EXCEPTION = if an AssumeRole call includes a role and a policy, the policy cannot expand the privileges of the role (cannot override any permission denied by default in the role)