2 Identity and access management

 

This chapter covers

  • Getting started with AWS Identity and Access Management
  • Using common patterns in AWS IAM
  • Securing access with multiple accounts
  • Simplifying permission management with attribute-based access control
  • Integrating with existing access management systems

This chapter explores how to use the AWS Identity and Access Management (IAM) service. IAM is possibly the most important service for the security of everything you do in AWS. IAM controls who has access to AWS APIs and resources in your account. Misconfiguration or mishandling of the service’s resources opens you up to numerous attacks. In the worst case, an attacker could gain full control of all of your AWS resources. They could use that access to shut down applications, leak data, or steal proprietary information. A much more common attack on misconfigured identity and access management is reading from S3 buckets that allow public access. This happens with staggering frequency. AWS accounts without important infrastructure or data can even be used to create a large number of servers for mining bitcoin or to use as part of a botnet, all on your dime.

IAM can be difficult to use. There are a number of common mistakes—some of which we’ll explore in this chapter—that can cause problems, such as

  • Mixing up identity and resource policies
  • Overusing wildcards
  • Failing to assume a role once policies are attached

2.1 Identity and access management basics

2.1.1 Users

2.1.2 Identity policies

2.1.3 Resource policies

2.1.4 Groups

2.1.5 Roles

2.2 Using common patterns in AWS IAM

2.2.1 AWS managed policies

2.2.2 Advanced patterns

2.3 Attribute-based access control with tags