M. Ahmed

AWS: IAM Concepts

Here’s a sample IAM Policy:

{
  Version: "2012-10-17",
  Statement: [ (Can have multiple statements)
    {
     Effect: "Allow" | "Deny",
     Sid: "FullAccess" (Description Id For the Statement),
     Action: ["S3:CreateBucket"]
     Resource: ["arn:aws:s3:::catpics"]
    },
    ...
  ]
}

Explicit Deny > Explicit Allow > Implicit Deny (Default)

Amazon Resource Number (ARN)

Used to uniquely identify resources inside aws. Usually for Resource key in IAM Policy Statements.

Follow the structure:

arn : ZONE : SERVICE : REGION? : ACCOUNT_ID? : RESOURCE_ID
arn : ZONE : SERVICE : REGION? : ACCOUNT_ID? : RESOURCE_TYPE/RESOURCE_ID
arn : ZONE : SERVICE : REGION? : ACCOUNT_ID? : RESOURCE_TYPE : RESOURCE_ID

i.e. arn:aws:ec2:us-east-1:123456789:i-654321123

Max 5000 IAM Users Per Account.

Resource Policy: Allows Resources (i.e. S3) to have policies attached to them that reference certain IAM Users and/or IAM Roles as Principal to Allow/Deny access to certain actions on the resource (DAD Applies here.)

Groups

  • No Credentials.
  • No group nesting.
  • No all-user group by default.
  • IAM User can be a member of 10 Groups Maximum
  • 300 groups per account (Soft Limit).
  • Cannot be referenced by resource policies.

Roles

  • You assume a role for a limited time.
  • Permission Policies: same as user policies.
  • Trust Policies: Define who can assume the role.
  • Can be referenced by resource policies.
  • Rule of thumb: Use when the number of identities is unknown.
  • Examples:
    • AWS Service like Lambda can assume S3 Role.
    • A user can assume an emergency admin role.
    • AWS ID Federation uses IAM Roles to grant external users access to AWS.
    • Web Account Federation (Google/Apple Sign-In) used to grant access to more than 5k accounts.
    • Access other AWS Accounts to access you account by using a role.
  • Service-Linked roles are attached to a particular service and are usually created during the configuration of the service.
  • These roles need to be passed to the service for which the identity needs to have a iam:PassRole & iam:ListRole action allowed in their policies.

Organizations

  • Management/Master Account(1) and Member Accounts (0+)
  • Standard Account: not part of an AWS organization.
  • Organizational Root (Container)
    • Organization Units (Container) (0+)
    • AWS Accounts (0+)

Service Control Policies (SCP)

  • Applied to containers (root or OU) or individual accounts.
  • Defines what services are allowed for an account (This includes root user access).
  • Default FullAWSAccess SCP is applied:
  Statement:[
   {
    Effect: "Allow",
    Resource:"*",
    Action:"*"
    }
  ]
  • Use the explicit deny architecture to simplify admin overhead.

CloudWatch Logs

  • Uses CloudWatch Logs Agent or SDK.
  • Log events > Log Streams > Log Groups > Metrics Filters > Metrics > Alarm.
  • A Log Stream represents a service log for one log type for one instance. i.e. an EC2 instance server logs.
  • Log Streams of the same type make up Log Groups, which make up Metric Filters.

CloudTrail

  • Used for Management or Data Logs.
  • Stores 90 days of management logs by default.
  • A Trail can be regional or global.
  • Regional services log to respective regions.
  • Global services log to us-east-1.
  • NOT real-time.
  • Use trails to save data indefinitely in S3 or pipe into CloudWatch Logs for Metrics & Alarms.

AWS Control Tower

  • An automated way to architect, manage and observe multi-account configuration for organizations.
  • Uses Account Factory to create accounts.
  • Guard rails for SCP.
  • Land Zone (Unit) are main dashboards that create a control tower.
  • Creates an organization with 2 OUs:
    • Security OU: Audit Account (SNS, CloudWatch) & Log Archive (AWS Config & CloudTrail)
    • Sandbox OU: Accounts created using Account Factory & IAM Identity Center.