AWS | Identity and Access Management

What is IAM?

 

Identity and Access Management  

IAM allows you to manage users and their level of access to the AWS console.

IAM is not a region base it’s a global base will create users will globally affected 

 

There are two different types of users in AWS:

 

• Root account
• IAM user account 

 

Root user account: The root user is created when the AWS account is created / a root user is created during AWS sign up process

 

IAM user account: IAM users are created by the root user or IAM administrator to access AWS resources.

 

IAM User access Type:

• AWS Management console access
• Programmatic Access

 

 

What purpose we need use AWS Root account?

 

Note: we should not access root account on regular basis. 

 

Please find the below reason to use AWS root account.

• Change your AWS support plan
• Change your account settings.
• Restore IAM user permissions
• Change your payment option
• View your Billing information to your accounts
• AWS account closing process

 

Step:1

 

Once Root account created we must secure our root account.

 

How to view Root account security credentials

Go to AWS account name and click security credentials

 

How to secure our  Root Account for best practice

• You should not access root account on regular basis. 
• We recommend that you create an IAM user with administrator permissions to use to access AWS resources or everyday AWS tasks. 
• Disable access keys for the root user. (If you need access key and security key for root account you must create 2 keys and deactivate one key because if u miss security/access key you cannot able to recover so create 2 keys and deactivate one key)
• Change security and access key regular basis
  
• Reset credentials regular basis.
• Don’t share root user account to others 
• Enable MFA for Root account  

Step: 2 

Once Root account created we must secure our IAM Password Policy for best practice

Apply an IAM password Policy:

 

To create a custom password policy (console)

Step: 1

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

 

Step: 2 

 

In the navigation pane, choose Account settings.

 

 

Step: 3

In the Password policy section, choose Change password policy.

Select the options that you want to apply to your password policy and choose save changes.

 

Note : This password policy impacts all of the user accounts within this AWS account.

 

How to Create IAM User using AWS Management Console

Step: 1

Sign in to the AWS Management Console.

 

Open the IAM Console at https://console.aws.amazon.com/iam/home?region=us-east-2#/home. 

 

Step: 2

 

Go to Services and select IAM / Search IAM in Search box

 

On the navigation pane, click on the Users. After clicking on the Users, the screen appears which is shown below:

 

Step: 3

Click on the Add User to add new users to your account. After clicking on the Add User, the screen appears which is shown below:

Enter the User name for the user you want to create. You can create 10 users at a time.

 

Select the AWS access type. Either you want a user to have programmatic access or AWS Management Console access or both access your want 

You can also give permission to the user to create new login password at next sign

Click – Next Permission

Step: 4

Click – Create a Group

 We are going to create Group name as “Cloudadmin” also provide policy access as “administratorAccess” (Provides full access to AWS services and resources)

Note: if you want to create new policy just

Click – create policy

Click – Create Group

Step : 5

Tag name very important to identify the user also very user full for billing

Click – Next: Review

Step: 6

Review user details and click create users

 

Step: 7

Now we can successfully IAM user in AWS console.

 

Enable MFA in Root user and IAM users:

MFA (Multi Facture authentication)

MFA allows you to apply two levels of authentication

MFA creates a random, six-digit, single-use authentication codes

This codes change every 30 seconds

MFA devices:

 

 

 

How to Enable MFA for Root user and IAM users.

Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/

In the navigation pane, choose Users.

In the User Name list, choose the name of the intended MFA user.

You can choose the Security credentials tab. Next to Assigned MFA device, choose Manage.

 

 

Manage MFA Device wizard, choose Virtual MFA device, and then choose Continue.

 

Virtual MFA device option:

Android / IPhone Phone users we need install below authentication application to scan QR code and

Authy, Duo Mobile, LastPass Authenticator, Microsoft Authenticator, Google Authenticator, Symantec VIP

 

U2F security Key:

U2F security key is a little USB token that you plug into your laptop

Other Hardware MFA Device:

Gemalto token is a device similar like device token

Note:  device toke user must be keep update email id and phone number because your device broken or theft during this time u can authenticate via email and phone number.