AWS Identity and Access Management

Definition:

• Identity and Access Management
• AWS global service
• Docs

Dashboard:

AWS Account

• Account ID: identifies specific AWS account, crucial for resource identification, billing, and granting cross-account access.
  • email used to create becomes root (management) account
• Account alias: unique string to identify aws account, similar to account of ID
  • example https://369396986658.signin.aws.amazon.com/console to https://strixthekiet.signin.aws.amazon.com/console

Access Management

User groups

• permissions the group can do is:
  • Policy
  • Inline policy

User

• Permissions
• Groups they are in
• Tags
• Security credentials (profile)
  • MFA
    • Multi-factor Authentication
    • Can be:
      • Passkey or security key
      • Authenticator app
      • Hardware TOTP token
  • Access keys
  • CloudFront key pairs
    • CloudFront
• Last accessed:
  • what permissions is given but not used

Roles

• An identity you can create that has specific permissions with credentials that are valid for short durations.
• Roles can be assumed by entities that you trust.
• Trusted entity types:
  • AWS service: allow aws services to perform actions within this account
  • AWS account: allow entities in other AWS account (from you or 3rd party) to perform account in this account
  • Web Identity
  • SAM 2.0 federation
  • Custom trust policy

Policy:

• A policy is an object in AWS that defines permissions (what action on what service, for what access level and on which resource)
• It can be:
  • AWS managed (predefined) policy
  • Custom policy
  • Inline policy: have a one-to-one relationship with the IAM entity they are attached to (specific to user, group, or role and cannot be attached to any other entity)
• Docs
• example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListAllMyBuckets",
        "s3:GetBucketLocation"
      ],
      "Resource": "arn:aws:s3:::*"
    },
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::amzn-s3-demo-bucket",
      "Condition": {"StringLike": {"s3:prefix": [
        "",
        "home/",
        "home/${aws:username}/"
      ]}}
    },
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": [
        "arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}",
        "arn:aws:s3:::amzn-s3-demo-bucket/home/${aws:username}/*"
      ]
    }
  ]
}

Identity providers

Account settings:

• Password policy: Configure the password requirements for the IAM users.

Root access management:

• Only available for org

Access Reports

Credential report

• account level
• see many details across whole account including access keys and when last used