# AWS Identity and Access Management (IAM)
> Introduction to AWS IAM

- toc: true 
- comments: true
- author: Ankush Agarwal
- categories: [aws, iam]

### Introduction
    IAM uses traditional identity concepts such as users, groups, and access control policies to control who 
        can use your AWS account, what services and resources they can use, and how they can use them. 
    The control provided by IAM is granular enough to limit a single user to the ability to perform a single 
        action on a specific resource from a specific IP address during a specific time window. 
    Applications can be granted access to AWS resources whether they are running on-premises or in the cloud. 
    
    If your application identities are based on Active Directory, your on-premises Active Directory can be 
        extended into the cloud to continue to fill that need. 
    A great solution for using Active Directory in the cloud is AWS Directory Service, which is an Active
        Directory-compatible directory service that can work on its own or integrate with your on-premises 
        Active Directory. 
    Finally, if you are working with a mobile app, consider Amazon Cognito for identity management for 
        mobile applications.
        
    Operating System Access - Active Directory LDAP Machine-specific accounts
    Application Access - Active Directory, Application User Repositories, Amazon Cognito
    AWS Resources - IAM
    
    IAM is controlled like most other AWS Cloud services:
        AWS Management Console
        CLI
        AWS SDK

### Principals
    The first IAM concept to understand is principals. 
    A principal is an IAM entity that is allowed to interact with AWS resources. 
    A principal can be permanent or temporary, and it can represent a human or an application. 
    There are three types of principals: root users, IAM users, and roles/temporary security tokens.
    
    Root User
        When you first create an AWS account, you begin with only a single sign-in principal that has complete
            access to all AWS Cloud services and resources in the account. 
        This principal is called the root user. As long as you have an open account with AWS, the root user 
            for that relationship will persist. 
        The root user can be used for both console and programmatic access to AWS resources.
        
    IAM Users
        Users are persistent identities set up through the IAM service to represent individual people 
            or applications. 
        You may create separate IAM users for each member of your operations team so they can interact 
            with the console and use the CLI.
            
    Roles/Temporary Security Tokens
        Roles are used to grant specific privileges to specific actors for a set duration of time. 
        These actors can be authenticated by AWS or some trusted external system. 
        When one of these actors assumes a role, AWS provides the actor with a temporary security token 
            from the AWS Security Token Service (STS) that the actor can use to access AWS Cloud services. 
            
        Amazon EC2 Roles—Granting permissions to applications running on an Amazon EC2 instance.
        Cross-Account Access—Granting permissions to users from other AWS accounts, whether you 
            control those accounts or not.
        Federation—Granting permissions to users authenticated by a trusted external system.
        
        Amazon EC2 Roles
            Suppose that an application running on an Amazon EC2 instance needs to access an Amazon Simple 
                Storage Service (Amazon S3) bucket. 
            A policy granting permission to read and write that bucket can be created and assigned to an IAM 
                user,and the application can use the access key for that IAM user to access the Amazon S3 bucket
            The problem with this approach is that the access key for the user must be accessible to the
                application, probably by storing it in some sort of configuration file. 
                
            An alternative is to create an IAM role that grants the required access to the Amazon S3 bucket. 
            When the Amazon EC2 instance is launched, the role is assigned to the instance. 
            When the application running on the instance uses the Application Programming Interface (API) to 
                access the Amazon S3 bucket, it assumes the role assigned to the instance and obtains a 
                temporary token that it sends to the API. 
                
        Cross-Account Access
            Another common use case for IAM roles is to grant access to AWS resources to IAM users in other 
                AWS accounts
               
        Federation
            Many organizations already have an identity repository outside of AWS and would rather leverage 
                that repository than create a new and largely duplicate repository of IAM users. 
            Similarly, web-based applications may want to leverage web-based identities such as Facebook, 
                Google, or Login with Amazon. 
            IAM Identity Providers provide the ability to federate these outside identities with IAM and 
                assign privileges to those users authenticated outside of IAM.
            IAM can integrate with two different types of outside Identity Providers (IdP). 
            For federating web identities such as Facebook, Google, or Login with Amazon, IAM supports 
                integration via OpenID Connect (OIDC).
            For federating internal identities, such as Active Directory or LDAP, IAM supports integration 
                via Security Assertion Markup Language 2.0 (SAML). 
            A SAML-compliant IdP such as Active Directory Federation Services (ADFS) is used to federate the
                internal directory to IAM. 
            In each case, federation works by returning a temporary token associated with a role to the IdP 
                for the authenticated identity to use for calls to the AWS API.

#### Authentication
    There are three ways that IAM authenticates a principal:
    User Name/Password
        When a principal represents a human interacting with the console, the human will provide a user
            name/password pair to verify their identity. 
        IAM allows you to create a password policy enforcing password complexity and expiration.
        
    Access Key
        An access key is a combination of an access key ID (20 characters) and an access secret key (40
            characters). When a program is manipulating the AWS infrastructure via the API, it will use 
            these values to sign the underlying REST calls to the services. 
       
    Access Key/Session Token
        When a process operates under an assumed role, the temporary security token provides an access key 
            for authentication. In addition to the access key (remember that it consists of two parts), 
            the token also includes a session token. 
         Calls to AWS must include both the two-part access key and the session token to authenticate.

#### Authorization
    After IAM has authenticated a principal, it must then manage the access of that principal to protect your 
        AWS infrastructure. 
    The process of specifying exactly what actions a principal can and cannot perform is called authorization.
    Authorization is handled in IAM by defining specific privileges in policies and associating those policies 
        with principals.
    
    Policies
        A policy is a JSON document that fully defines a set of permissions to access and manipulate 
            AWS resources. Policy documents contain one or more permissions, with each permission defining
            
        Effect
            A single word: Allow or Deny.
            
        Service
            For what service does this permission apply? Most AWS Cloud services support granting access 
                through IAM, including IAM itself.
                
        Resource
            The resource value specifies the specific AWS infrastructure for which this permission applies. 
            This is specified as an Amazon Resource Name (ARN). 
            The format for an ARN varies slightly between services, but the basic format is:
            "arn:aws:service:region:account-id:[resourcetype:]resource"
            
        Action
            The action value specifies the subset of actions within a service that the permission allows
                or denies. For instance, a permission may grant access to any read-based action for Amazon S3.
            A set of actions can be specified with an enumerated list or by using wildcards (Read*).
           
        Condition
            The condition value optionally defines one or more additional restrictions that limit the actions
                allowed by the permission. 
            For instance, the permission might contain a condition that limits the ability to access a 
                resource to calls that come from a specific IP address range. 
            Another condition could restrict the permission only to apply during a specific time interval.

#### Associating Policies with Principals
    There are several ways to associate a policy with an IAM user; this section will only cover the most common.
    A policy can be associated directly with an IAM user in one of two ways:
    User Policy
        These policies exist only in the context of the user to which they are attached. 
        In the console, a user policy is entered into the user interface on the IAM user page.
        
    Managed Policies
        These policies are created in the Policies tab on the IAM page and exist independently of any 
            individual user. 
        In this way, the same policy can be associated with many users or groups of users. 
        
    There are two ways a policy can be associated with an IAM group:
    Group Policy
        These policies exist only in the context of the group to which they are attached. 
        In the AWS Management Console, a group policy is entered into the user interface on the IAM Group page.
    Managed Policies
        In the same way that managed policies can be associated with IAM users, they can also be associated 
            with IAM groups.

#### Other Key Features
    Multi-Factor Authentication (MFA)
    Rotating Keys
        To this end, it is a security best practice to rotate access keys associated with your IAM users.
        IAM facilitates this process by allowing two active access keys at a time. 
        The process to rotate keys can be conducted via the console, CLI, or SDKs:            
            Create a new access key for the user.
            Reconfigure all applications to use the new access key.
            Disable the original access key 
            Verify the operation of all applications.
            Delete the original access key.
    Resolving Multiple Permissions        
        Initially the request is denied by default.
        All the appropriate policies are evaluated; if there is an explicit “deny” found in any policy, 
            the request is denied and evaluation stops.
        If no explicit “deny” is found and an explicit “allow” is found in any policy, the request is allowed.
        If there are no explicit “allow” or “deny” permissions found, then the default “deny” is 
            maintained and the request is denied.