Open in app

Sign in

Write

Sign in

An Intro Guide to Identity and Access Management (IAM) inside AWS

Gabriel Pulga
7 min readJul 15, 2021

What is Cloud Computing?

Let’s suppose we have a server hosted somewhere.

We, using a web browser, access that server through a network (the internet). The server will then reply to us and we’ll get a response that allows us to view a website.

A server is basically made of a few things that the cloud gives for us on-demand :

  • CPU
  • RAM
  • Data Storage
  • Database
  • Network

So, what does any of this has to do with Cloud Computing?

Cloud Computing, as its definition says, is the on-demand (you get it when you need it) delivery of compute power, database storage, application and other IT resources.

You can provision exactly the right type and size of computing resources you need, without having to worry about the maintenance costs of running your own server.

Amazon Web Services owns and maintains all network-connected hardware that’s required for any application services, while you only pay for what you use from it via a web application.

Some of the problems solved by cloud computing are :

  • Flexibility — Change resource types when needed.
  • Cost-Effectiveness — Pay as you go, for what you use.
  • Scalability — Make the hardware stronger or add additional nodes.
  • Elasticity —Ability to scale out an in when needed.
  • High-availability and fault-tolerance — Build across data centers.
  • Agility — Rapidly develop, test and lauch applications.

Deployment Models of the Cloud

A cloud deployment model is defined according to where the infrastructure for the deployment resides and who has control over that infrastructure.

Each cloud deployment model has a different value proposition and different costs associated with it. Therefore, in many cases, your choice of a cloud deployment model may simply come down to money.

  • Private Cloud — Cloud services used by a single organization, not exposed to the public. Some of its advantages are : complete control, security sensitivity and business specific.
  • Public Cloud — Cloud resources owned and operated by third-party services delivered over the web.
  • Hybrid Cloud — Ability to keep servers on premises and extend some capabilities to the Cloud such as control over sensitive assets, flexibility and cost-efectiveness of the public cloud. Basically, has mixed advantages from the previous models.

Types of Cloud Computing

As cloud computing has grown in popularity, several different models and deployment strategies have emerged to help meet specific needs of different users.

Each type of cloud service and deployment method provides you with different levels of control, flexibility, and management.

Understanding the differences between Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), as well as what deployment strategies you can use, can help you decide what set of services is right for your needs.

Infrastructure as a Service (IaaS)

Infrastructure as a Service (IaaS) contains the basic building blocks for cloud IT and typically provides access to networking features, computers (virtual or on dedicated hardware), and data storage space.

  • Highest level of flexibility.
  • Easy parallel with traditional on-premises IT.
  • Amazon EC2 (on AWS), GCP, Azure, Rackspace, Digital Ocean and Linode.

Platform as a Service (PaaS)

Platform as a Service (PaaS) removes the need for your organization to manage the underlying infrastructure (usually hardware and operating systems) and allows you to focus on the deployment and management of your applications.

This helps you be more efficient as you don’t need to worry about resource procurement, capacity planning, software maintenance, patching, or any of the other undifferentiated heavy lifting involved in running your application.

  • Elastic Beanstalk (on AWS), Heroku, Google App Engine (GCP) and Azure.

Software as a Service (SaaS)

Software as a Service (SaaS) provides you with a completed product that is run and managed by the service provider.

In most cases, people referring to Software as a Service are referring to end user applications.

With a SaaS offering you do not have to think about how the service is maintained or how the underlying infrastructure is managed; you only need to think about how you will use that particular piece of software.

A common example of a SaaS application is web-based email which you can use to send and receive email without having to manage feature additions to the email product or maintain the servers and operating systems that the email program is running on.

  • Many AWS services (ex. Rekognition for Machine Learning), Google Apps (Gmail), Dropbox and Zoom.

Pricing of the Cloud — Quick Overview

AWS has 3 pricing strategies following the pay-as-you-go pricing model that solves the expensive issue of traditional IT.

  • Compute — Pay for compute time.
  • Storage — Pay for data stored in the cloud.
  • Data transfer OUT of the Cloud — Data transfer in is free but you pay for what gets out.

Priving varies region to region and is transparent in the services pricing page.

AWS Global Infrastructure

The AWS Cloud infrastructure is built around AWS Regions and Availability Zones.

  • AWS Regions

Cluster of data centers available all around the world with names like us-east-1 and eu-west-3.

  • AWS Availability Zones

Inside AWS Regions, there are multiple availability zones with names like ap-southeast-2a and ap-southeast-2c.

Each zone possess one or more discrete data centers that have redundant power, networking and connectivity with high bandwith and ultra-low latency networking.

They are separated from each other, so that they’re isolated from disasters.

  • AWS Edge Locations / Points of Presence

Amazon also has multiple points of presence located in most of the major cities around the world that allows for content to be delivered to end users with lower latency.

Edge location is not a region but a small location that AWS have. It is used for caching the content.

Shared Responsibility Model Diagram

The Shared Responsibility Model diagram is what defines your responsibility versus AWS when using the cloud.

Whatever you use in the cloud, including the way you configure it is of your responsibility. This includes your OS, firewall configuration, network, data, et cetera.

Meanwhile, AWS is responsible for all the security, infrastructure, hardware and software of the cloud.

IAM — Users and Groups

IAM stands for identity and access management and as the name says, is a global service in which we can use to create user and assign them to groups.

One user may represent a person within your organization and they may be grouped together.

The reason for this type of access management is to allow different users to have different permissions regarding our AWS accounts.

Permissions may be assigned through what’s called a JSON document called policies.

In AWS, you should apply a principle called the “least privilege principle” in which states that a users shouldn’t be given more permission than it needs.

IAM — Password Policy

To protect users and groups created through the access management, we have two defense mechanisms :

  • Strong passwords

Set a minimum password length and require specific character type along with other policies such as allowing IAM users to change their own passwords and prevent password re-use.

  • Multi Factor Authentication — MFA

Since users can possibly change configurations or delete resources in your AWS account, it is of utmost importance to use MFA to protect your root accounts and IAM users.

This can be done through a Virtual MFA device such as Google Auth or through a Hardware Key MFA Device.

How can users access AWS?

To access AWS, there are three options :

  • AWS Management Console — protected by password + MFA.
  • AWS Command Line Interface (CLI) — protected by access keys.
  • AWS Software Developer Kit (SDK) — for code: protected by access keys.

Access keys are generated through the AWS Console and are manageable by their respective users.

The key ID is equivalent to an username and the Secret Access key is equivalent to a password.

It’s important to note that an access key should never be shared, unless you may want to get a very expensive AWS bill.

IAM — Roles for Services

Some AWS services will need to perform actions on your behalf.

To do so, we’ll need to assign permissions to AWS Services with IAM Roles. Some of these common roles are :

  • EC2 Instance Roles.
  • Lambda Function Roles.
  • Roles for CloudFormation.

IAM — Security Tools

There are two security tools we can use in IAM :

  • IAM Credentials Report (account-level)

A report that list all your account’s users and the status of their various credentials.

  • IAM Access Advisor (user-level)

Shows the service permissions granted to a user and when those services were last accessed.

This is helpful when we need to review which permissions are not being used so we can adjust our users roles to the principle of least privilege.

IAM Guidelines & Best Practices

  • Don’t use the root account except for AWS account setup.
  • One physical user = One AWS user.
  • Assign users to groups and assign permissions to groups.
  • Create a strong password policy.
  • Use and enforce the use of MFA.
  • Create and use Roles for giving permissions to AWS services.
  • Use Acces Keys for Programmatic Access (CLI / SDK).
  • Audit permissions of your account with the IAM Credentials Report.
AWS
Amazon
Cloud
Cloud Computing

--

--

Gabriel Pulga

Written by Gabriel Pulga

102 Followers

DevOps/SRE Engineer from Brazil. Check out my github at @gabrielpulga

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams