# AWS Identity and Access Management (IAM)

*AWS Identity and Access Management (IAM)* is an AWS service that allows you to securely control access to AWS resources. 

> It provides a centralized control plane for managing user identities, their permissions, and the security policies that govern their access to AWS services and resources. 

IAM enables you to create and manage *users*, *groups*, *roles*, and their respective *permissions*, thereby facilitating secure access and preventing unauthorized access to your AWS environment.

## Motivation

Learning about IAM is crucial for anybody working with AWS as it empowers you to effectively manage user access, enforce security best practices, and protect sensitive data and resources. Understanding IAM enables professionals to enhance security, comply with regulations, streamline operations, and contribute to a robust and secure AWS environment.

## Key Concepts of IAM

This section will introduce you to key concepts in IAM. At the end of this notebook you will also get hands-on practice with all the concepts introduced here.

### IAM Users

> **IAM users** are entities within AWS that represent individual users, applications, or services that interact with AWS resources. 

Each IAM user has a unique identity with associated credentials (username and password or *access keys* (we will talk more about access keys later on) and permissions. IAM users are associated with specific roles and are granted permissions to perform actions on AWS resources.

#### Creating and Managing IAM Users

To create an IAM user, you can use the AWS Management Console, *AWS CLI*, or *AWS SDKs*. **The AWS CLI (Command Line Interface)** is a tool that allows you to interact with AWS services using commands from your local computer's command line. We will learn more about the AWS CLI and how to provision it in the next lesson. **AWS SDKs (Software Development Kits)** are libraries and APIs provided by AWS to help developers integrate AWS services into their applications, making it easier to programmatically interact with services like IAM. We will also learn how to use the AWS Python SDK later in this pathway.

During the creation process, you specify the user's name, assign a password or *access keys*, and configure their permissions by attaching appropriate IAM policies. Once created, IAM users can be managed by modifying their permissions, enabling *multi-factor authentication (MFA)*, and updating other user details as needed.

### IAM Groups

> **IAM groups** are collections of IAM users with similar roles or responsibilities. 

Grouping users simplifies permission management, as permissions can be assigned at the group level instead of individually. IAM groups streamline access control by facilitating assignment and revocation of permissions for multiple users simultaneously.

#### Creating and Managing IAM Groups

To create an IAM group, you can use the AWS Management Console, AWS CLI, or AWS SDKs. You define the group's name, attach IAM policies to specify permissions, and then add IAM users to the group. IAM groups can be modified by adding or removing users, updating group policies, or deleting the group when no longer needed.

### IAM Roles

> **IAM roles** serve as a means to define a set of permissions and access policies that can be assumed by trusted entities, such as AWS services or external identities. These roles allow temporary and restricted access to AWS resources without the need for permanent credentials or sharing of long-term access keys.

#### Creating and Managing IAM Roles

IAM roles can be created using the AWS Management Console, AWS CLI, or AWS SDKs. During creation, you define the *trusted entities* (e.g., AWS services or federated identities), configure the role's permissions with IAM policies, and assign the role to the appropriate entities. IAM roles are adjustable by modifying associated policies, updating trusted entities, or adjusting role details as needed.

#### Trusted Entities

> A **trusted entity** refers to an entity or entity type that is considered reliable and authorized to assume an IAM role. In the context of IAM, trusted entities can include AWS services, federated identities, or other AWS accounts.

1. **AWS Services**: Certain AWS services are configured to trust IAM roles. These services can assume the specified roles to perform actions on behalf of the roles' permissions. For example, AWS Lambda functions can be configured to assume an IAM role to access other AWS resources.

2. **Federated Identities**: Federated identities are external identities that are authenticated by an external identity provider (IdP) and then trusted by AWS. Examples of federated identities include users authenticated through SAML-based single sign-on (SSO) or OpenID Connect (OIDC) providers. IAM roles can be assumed by these federated identities to access AWS resources.

3. **AWS Accounts**: IAM roles can also be used for cross-account access, allowing one AWS account to grant permissions to entities in another AWS account. This is particularly useful when organizations need to provide controlled access to resources across multiple AWS accounts without sharing long-term credentials.

### IAM Policies

> **IAM policies** are `JSON` documents that define permissions, specifying allowed or denied actions on AWS resources. Policies consist of statements that include the effect (*allow* or *deny*), the actions permitted or denied, the affected resources, and optional conditions for access granting or restriction.

#### Creating and Managing IAM Policies

IAM policies can be created and managed using the AWS Management Console, AWS CLI, or AWS SDKs. Custom policies or predefined AWS managed policies can be used. Policies are attached to IAM users, groups, or roles to define their permissions. They can be updated, modified, and attached or detached as needed to control resource access.

### Access and Secret Access Keys

**Access** keys are long-term credentials used to authenticate programmatic access to AWS services via API calls, AWS CLI, or AWS SDKs. Each access key consists of an *access key ID* and a *secret access key*. These keys are used to securely sign requests sent to AWS services, allowing users to interact programmatically with AWS resources.

#### Managing Access and Secret Access Keys

**Access and secret access keys** can be generated for IAM users to provide programmatic access. The keys should be securely managed and stored. IAM users can create and manage their own access keys, or administrators can generate them on behalf of users. It's important to regularly rotate access keys to maintain security best practices and minimize the potential impact of compromised credentials.

## Understanding IAM Permissions

### Principle of Least Privilege

Imagine you have a company with multiple employees, each responsible for different tasks within your AWS environment. Some employees need access to your **Amazon S3 buckets** to upload and download files, while others need to manage your **EC2 instances** or configure your database. Don't worry about the terminology of different services here, as we will cover them in detail in later lessons.

Now, without IAM, granting access to these resources would be challenging. You would have to share the same credentials, such as the AWS account username and password, with all employees. This approach poses significant security risks because it means giving everyone full access to all your resources, including the ability to modify or delete critical data.

However, with IAM, you can enforce the *principle of least privilege*. Let's say you have an employee named Sarah who works as a developer and needs access to your EC2 instances. Instead of giving her full administrative rights, you can create an IAM user account specifically for her and assign her only the necessary permissions to manage EC2 instances. 

Similarly, for another employee named John, who is responsible for managing your database, you can create a separate IAM user account and assign him permissions to interact with your database service, such as creating and deleting database instances, but without providing access to other resources.

By granting these granular permissions, you ensure that each employee has access only to the resources required for their respective tasks. This practice significantly reduces the risk of accidental or intentional misuse of your resources. If, in the future, Sarah no longer needs access to EC2 instances, you can simply revoke her permissions within IAM without affecting any other aspect of your AWS environment.

### Granting and Revoking IAM Permissions

IAM provides a flexible framework for granting and revoking permissions to users, groups, and roles. You can assign permissions by attaching IAM policies directly to IAM entities, such as users or groups, or by using *resource-based policies *for certain AWS services. Permissions can be granted at various levels, including the account level, service level, or resource level, allowing for precise control over access to specific actions and resources.

Let's say you have an IAM user named `Alice` who is responsible for managing EC2 instances within your AWS environment. To grant Alice the necessary permissions, you can create an IAM policy that allows her to start, stop, and terminate EC2 instances. The `JSON` policy might look like this:

In [None]:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EC2Permissions",
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances",
        "ec2:TerminateInstances"
      ],
      "Resource": "*"
    }
  ]
}

Let's look into more detail at the `JSON` above:

- `"Version": "2012-10-17"`: This line specifies the version of the policy language being used. In this case, it indicates that the policy is using the version released on October 17, 2012. This is currently the standard version to use with any IAM policy.

- `"Statement": [...]`: This line starts an array of policy statements. Each statement represents a single permission or set of permissions.

- `{"Sid": "EC2Permissions", ...}`: This line assigns a unique identifier or name ("`EC2Permissions"`) to the statement. The SID is optional but helpful for identifying and managing the statement in the future.

- `"Effect": "Allow"`: This line indicates the effect of the statement, which can be either `"Allow"` or `"Deny"`. In this case, it allows the specified actions.

- `"Action": [...]`: This line specifies the action(s) that are allowed or denied. Here, the actions `"ec2:StartInstances"`, `"ec2:StopInstances"`, and `"ec2:TerminateInstances"` are allowed. These actions relate to starting, stopping, and terminating EC2 instances.

- `"Resource": "*"`: This line specifies the resource to which the actions apply. In this case, the wildcard character (`*`) is used to indicate that the actions can be performed on any resource. We will see in later lessons how we can specify only certain resources in IAM policies.

You can then attach this IAM policy to Alice's IAM user account. Once attached, Alice will have the necessary permissions to perform the specified actions on EC2 instances.

Now, let's say Alice's responsibilities change, and she no longer needs permission to terminate EC2 instances. To revoke this specific permission while maintaining her other permissions, you can modify the existing IAM policy by removing the `"ec2:TerminateInstances"` action:

In [None]:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "EC2Permissions",
      "Effect": "Allow",
      "Action": [
        "ec2:StartInstances",
        "ec2:StopInstances"
      ],
      "Resource": "*"
    }
  ]
}

By removing the `"ec2:TerminateInstances"` action, you effectively revoke Alice's permission to terminate EC2 instances while preserving her ability to start and stop instances.

###  Understanding Resource-Based Policies

**Resource-based policies** are an integral part of IAM that allow you to define permissions directly on AWS resources. These policies are attached to the resources themselves and determine which entities (users, groups, roles, or other AWS accounts) have access to them. Resource-based policies provide a more centralized and flexible approach to access control, enabling you to grant or deny access to resources based on specific conditions or identities.

## IAM Best Practices

### Creating Strong and Secure Passwords

When creating IAM users, it is essential to encourage the use of strong and unique passwords. Strong passwords should be long, contain a combination of uppercase and lowercase letters, numbers, and special characters. Avoid using easily guessable information, such as names or birthdays. Regularly remind users to update their passwords and avoid reusing passwords across multiple accounts.

### Enabling Multi-Factor Authentication (MFA)

**Multi-Factor Authentication** adds an extra layer of security to IAM user accounts. By requiring an additional authentication factor, such as a one-time password generated by a virtual MFA device, MFA significantly reduces the risk of unauthorized access, even if the user's password is compromised. Encourage the use of MFA for all IAM users, especially for accounts with elevated privileges.

### Regularly Reviewing and Auditing IAM Permissions

Periodically reviewing and auditing IAM permissions is crucial to maintain the principle of least privilege and ensure that users have only the necessary access. Regularly review IAM policies, user permissions, and group memberships to identify any excessive or outdated permissions. Remove or modify permissions as needed to align with user roles and responsibilities.

### Implementing IAM Password Policies

IAM password policies allow you to enforce specific password requirements across your AWS account. Consider implementing policies that enforce password complexity rules, require password rotation at regular intervals, and prevent password reuse. By implementing strong password policies, you enhance the overall security of IAM user accounts.

## Hands-On Practice: Advanced IAM User and Group Management

In this advanced hands-on practice, we will perform various tasks related to IAM user and group management, including creating an IAM user, assigning specific permissions, creating a custom policy, generating access and secret access keys, enabling multi-factor authentication (MFA) and testing user access and permissions.

### Creating an IAM User

1. Log in to the AWS Management Console and open the IAM console. You can do this by either typing **IAM** in the search bar or accessing IAM directly from the **Services** tab. You will be meet with the following page:

<p align="center">
    <img src="images/IAM-console.png" width="700" height="400"/>
</p>


2. Click on **Users** in the navigation pane and then on **Add User** to create a new IAM user.

3. Provide a username for the user (e.g., "John") and select **Provide user access to the AWS Management Console**. If you don't select this option, the user will only have *Programmatic access**, meaning it will be able to interact with AWS services programmatically through the AWS CLI or SDKs. This type of user is normally used for automation or programmatic tasks.

4. Under **User type** select **I want to create an IAM user**, this will allow your user to have both Management Console and programmatic access. This will be useful in the next lesson when we will learn how to setup AWS CLI.

5. For password, you have the option to choose between an **Autogenerated password** or a **Custom password**. If you select the first option the system will generate a random password for the user and you will be able to view the password after creating the user. If you select the later you can provide a password of your choice. It's up to you to decide which option you prefer.

6. Select **Users must create a new password at the next sign-in** to allow the user to choose their preferred password on the first log-in.

7. Click **Next** and follow the prompts to configure additional settings if needed. For this hands-on we will not set any permissions yet, so feel free to click **Next** in the **Set permissions** tab.

8. Review the user details and click **Create User** to create the IAM user. You will be met with the following page:

<p align="center">
    <img src="images/IAM-user.png" width="700" height="500"/>
</p>

Before you return to the user list, you can retrieve the password by clicking **Show** under the **Console password** field. Make sure to make a note of this on your local machine. You can then press **View user** to see the details of your newly created user.

<p align="center">
    <img src="images/IAM-user2.png" width="700" height="500"/>
</p>

#### IAM User Page

After successfully creating an IAM user, the IAM user page in the AWS Management Console provides various information and options related to the user's configuration. Here's an overview of the information typically found on the IAM user page:

##### **1. User Summary**

This section displays essential details about the IAM user, including the username, user *ARN (Amazon Resource Name)*, and the date and time when the user was created.

> **ARN** stands for Amazon Resource Name. It is a unique identifier used in AWS (Amazon Web Services) to identify and reference AWS resources such as IAM users, IAM roles, EC2 instances, S3 buckets, Lambda functions, and many others.

ARNs typically look like this:`arn:aws:<service>:<region>:<account-id>:<resource-type>/<resource-specific-identifier>`

- `arn` denotes that it is an Amazon Resource Name
- `aws` indicates the AWS namespace.
- `<service>` refers to the AWS service the resource belongs to, such as IAM
- `<region> `specifies the AWS region where the resource is located 
- `<account-id>` represents the AWS account ID associated with the resource
- `<resource-type>` identifies the type of resource, such as user for IAM users, role for IAM roles, etc.
- `<resource-specific-identifier>` is a unique identifier specific to the resource within its resource type

##### **2. Permissions** 

The permissions section provides an overview of the policies attached to the IAM user. It displays the list of attached policies and allows you to view details of each policy. From here, you can also attach additional policies or detach existing policies as needed to manage the user's permissions.

> The permission `IAMUserChangePassword` is automatically attached to newly created IAM users in AWS. This permission allows the user to change their own password for console access. By default, AWS assigns this permission to provide users with the ability to manage their own passwords and enhance security by allowing them to periodically update their credentials.

We can access this permission by clicking on it, and we will be redirect to the Policy page:

<p align="center">
    <img src="images/IAM-policy1.png" width="700" height="400"/>
</p>

Here, under **Permissions defined in this policy** we can see the actions and resources defined in this policy. The **Summary** view provides a human-readable summary of the IAM policy. It presents the policy's key information in a user-friendly format, making it easier to understand the policy's intent, actions, resources, and conditions at a glance. The **JSON** representation provides a more detailed and precise definition of the policy's attributes: 


In [None]:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword"
            ],
            "Resource": [
                "arn:aws:iam::*:user/${aws:username}"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy"
            ],
            "Resource": "*"
        }
    ]
}

`"iam:ChangePassword"`
- This action allows the IAM user to change their own password
- When an IAM user performs this action, they can modify their password for console access to AWS services. It provides users with the ability to update their own login credentials, enhancing account security.

`"iam:GetAccountPasswordPolicy"`
- This action allows the IAM user to retrieve the password policy for the AWS account
- The resource `"arn:aws:iam::*:user/${aws:username}"` in the policy grants the permission to retrieve the account's password policy for any IAM user within any AWS account
- This portion `"arn:aws:iam::*:user/"` indicates the ARN prefix for IAM user resources and the `*` wildcard is used to match any AWS account ID
- This `${aws:username}` is a placeholder that is expanded by AWS when evaluating the policy. It represents the specific IAM username of the user performing the action.

##### **3. Groups** 

This section shows the groups to which the IAM user belongs. You can view the group names and navigate to the group details page from here.

##### **4. Tags**

If any *tags* have been assigned to the IAM user, they are displayed in this section. **Tags** are key-value pairs used for categorizing and organizing resources for easier management and cost allocation.

##### **5. Security Credentials** 

In this section, you can manage the user's security credentials, such as access keys for programmatic access, password for console access (if applicable), and multi-factor authentication (MFA) settings. You can view and manage access keys, enable or disable the user's console access password, and configure MFA for added security.

##### **6. Access Advisor** 

The Access Advisor section provides insights into the services and actions the IAM user has accessed within a specified time period. It helps track and analyze the user's activity to assess their permissions and identify potential unused or unnecessary permissions.

By exploring and familiarizing yourself with the IAM user page, you can effectively manage the configuration, permissions, and security settings for the IAM user in your AWS environment.

### Assigning User Permissions

1. Select the newly created IAM user from the user list in the IAM console.

2. Navigate to the **Permissions** tab.

3. Click on **Add permissions** to add permissions to the user. In the following screen you will have to options: **Attach existing policies** and **Create inline policy**. The first option allows you to attach existing IAM policies that grant necessary permissions. The later one is when the desired permissions are not available in existing AWS-managed policies and you need to create a custom policy. We will start by selecting an existing policy. To do so select **Attach existing policies**.

4. Select **Attach policies directly** to search for the desired policies that grant the necessary permissions. For example, you can search for the policy `IAMReadOnlyAccess` to grant read-only access to IAM resources. If you want to see the detailed **Actions** or **Resources** of this policy just double click on the policy name, and this will redirect you to the policy page. There as we seen before, you can visualise the policy permissions in `JSON` format.

> If you struggle to understand any **Actions** under a policy permissions make sure to check the official [AWS documentation](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html). In this page you can select any AWS service from under **Topics** which will redirect you to that specific service documentation. Each service page has an **Actions table** that will give a comprehensive overview of each action you can specify for this service and what it does.

5. Select the policies that provide the required permissions and attach them to the user. You should now see them under the **Permissions** tab for your user.

### Creating an IAM Group and Adding the User

1. In the IAM console, click on **User groups** in the navigation pane.

<p align="center">
    <img src="images/IAM-UserGroups.png" width="700" height="400"/>
</p>

2. Click on **Create group**" to create a new IAM group.

3. Provide a name for the group (for example `Product_Department`). You can add any users you want to this group when creating it, but you can also do this after creation. Let's add `John` our previously created user to this group by ticking the empty box left of his user name.

4. Search and select the desired policies to attach to the group or create a custom policy specific to the group if needed. Let's select `IAMUserChangePassword`. Attaching this policy to this group, means that every user that is part of this group will have the ability to change their own password.

5. Click **Create Group** to create the IAM group.

6. Select the newly created group from the group list and notice `John` is now part of this user group.

### Testing User Access and Permissions:

1. Make a note of your **Account ID** you will need it for this part of tha hands-on. You can find by clicking on your username: 

<p align="center">
    <img src="images/AccountID.png" width="700" height="400"/>
</p>


2. Sign out of the AWS Management Console.

3. Log back in  using the credentials of the IAM user you created. To do sit this team select **IAM user** instead of **Root user** as the sign in method. You will first be asked to fill in your Account ID that we obtained from step 1. Then you will need to provide the user name (in our case `John`) and the password you have saved when you initially created the user.

4. You will be asked to generate a new password once you are logged in.

5. Verify that the user has access to the AWS Management Console and can perform the permitted actions, which in our case refer to IAM permitted actions. So `John` has full read-only IAM access, which means he should be able to see everything we were seeing when logged in as the root user in the IAM console. However he shouldn't be able to perform any other operations. For example, let's try to create a new user `Mary` that is part of the `Product_Department`. Once you get to the **Review and create** page you press **Create user** you should be met with the following message:

<p align="center">
    <img src="images/IAMError.png" width="700" height="500"/>
</p>

This error indicates that the IAM user with the ARN `arn:aws:iam::170260020574:user/John` (so our user `John`) is attempting to perform the `iam:CreateUser` action on the IAM user resource with the ARN `arn:aws:iam::170260020574:user/Mary` (so `John` is trying to create a new user called `Mary`).

The error occurs because the user `John` does not have the necessary permission to create IAM users. In this case, there is no identity-based policy attached to the user `John` that grants the `iam:CreateUser` action on the resource `arn:aws:iam::170260020574:user/Mary` or on all resources (`*`). 

If this was a real issue we could resolve it by either:
- Attaching an existing policy or creating a custom policy that allows the `iam:CreateUser` action for `John` to perform user creation.
- Assigning the appropriate permissions to `John` through an IAM group to which he belongs to

## Key Takeaways 

- AWS Identity and Access Management (IAM) is a crucial service for managing user access and permissions within AWS environments
- IAM allows you to enforce the principle of least privilege by granting and revoking granular permissions to users and entities, ensuring they have only the necessary access required for their specific tasks
- Creating IAM users enables individual users, applications, or services to interact with AWS resources, and IAM groups provide a convenient way to manage permissions for users with similar roles or responsibilities
- IAM roles are used to delegate permissions to entities such as AWS services or external identities without the need for long-term access keys associated with IAM users
- IAM policies, defined in `JSON `format, specify the permissions granted or denied for IAM users, groups, or roles. They determine what actions are allowed or denied on AWS resources.
- Best practices for IAM include creating strong and secure passwords, enabling multi-factor authentication (MFA), regularly reviewing and auditing permissions, implementing IAM password policies, and considering federating AWS access with external identity providers