AWS Security using Identity Access Manager Users and Groups

AWS Security using Identity Access Manager Users and Groups
Photo by Cristina Gottardi on Unsplash

So if you have never read any of my articles, my name is Steve (although I have recently been dubbed “Peg man” by our Delivery Director’s daughter 😂). I work for a company called Dootrix. The main base is down in Southampton, but we have a cosy team of four up in Manchester 😎.

IAM Users

What is an IAM User?

So IAM stands for Identity Access Management. Even when you have just signed up, you are using it. That is because that is where your root user resides.

With IAM you can create new users and attach specific policies so they can access the resources they need to fulfil their job role. By default a user has no permissions. That means that if you create a new user and don’t attach any policies to them they can’t do anything. They will just see Access Denied when they visit each AWS service.

Creating a user when attaching no policies

Having no permission by default is rather powerful. It allows you to follow the principal of least privilege. It is easier to have a relaxed security policy where you only add what you need, than to have to create a tightened one where you have to manually deny access to services. Chances are…you’ll miss one 😣.

An AWS security check-list

When you first log on to the AWS platform, you will see a check-list on the IAM dashboard. This is so you can follow a standard practice for securing your account. It is advised that you ensure all steps are complete.

AWS IAM check-list

Example: Allowing access to a single S3 bucket

In this example we have two S3 buckets. A user will be able to access only one of them, and only be able to download from that bucket.

So we have the buckets:

  • final-friday-reports
  • final-friday-classified

We want to create a user that can only download what is in final-friday-reports.

So the first step is to create a user that has no permissions, like newbie 👆

Next we need to create a policy.

The Policies screen

Then we need to specify what resources that policy can access. So we will say they can list everything in our final-friday-reports bucket with the ListBucket action, and also download using the GetObject action.

Creating a policy

Next we get to the “Review policy” screen where we can give our policy a name and a description. When things look good click “Create policy”.

Reviewing the policy

Testing the policy

So we now have to log in to our new IAM user account.

Signing in to our account

And then go to the S3 service.

Error when on the S3 page

Hmmm…seems like we may have missed something…

Let’s have a look at our policy again 🔍

Seems like we missed an action

Added the missing ListAllMyBuckets action

Ah, we need to add the ListAllMyBuckets action! Let’s save this change and go back to S3.

S3 now shows all the buckets

Okay, so we can see all of our buckets.

What happens when we try go inside final-friday-classified?

Access Denied when trying to list the contents of the final-friday-classified bucket

That looks superb. It is just the behaviour we were after. They won’t be able to see any of our classified documents 😎

But let’s check to see if we can see what is in final-friday-reports, because we need to be able to download them.

We can see what is in the final-friday-reports bucket

Now, even though there is nothing in there we don’t get the Access Denied banner. So we can safely assume that everything is alright.

In our policy we only allow the GetObject action. So let’s test that we can’t upload a file…

Failed to upload file

As you can see from the banner at the bottom of the screen, uploading failed! 🎉

And let’s check that we can also download…

Download successful!

Excellent, it works 👍

IAM Groups

How can I allow multiple users to have the same permissions?

IAM groups allow you to set up policies that affect all users in that group. So you could set up a HR group that can access specific S3 buckets, or a DevOps group that can create resources for multiple services.

By default you have an Administrators service which has access to every AWS service. So be careful when adding users to that group.

Wrapping up

IAM is a simple but powerful service. But with power comes great responsibility 🤓

Users are in essence a container for policies.

Groups are a container for Users that can share common policies.

Don’t use wildcards where possible. Always follow the Least Privilege rule! Only give users access to what they “need” to get the job done.