IAM (Identity Access Management in AWS)
Hello Team,
Working Devops Support Engineer having 8.2 years of experience in Unix, Shell Scripting, SQL. Since one year i started my journey as a DevOps support engineer where i am involved in Deployments, Infrastructure monitoring using AWS- cloud-watch, Automating simple task using shell scripts.
AWS IAM (Identity and Access Management) is a service provided by Amazon Web Services (AWS) that helps you manage access to your AWS resources. It's like a security system for your AWS account.
IAM allows you to create and manage users, groups, and roles. Users represent individual people or entities who need access to your AWS resources. Groups are collections of users with similar access requirements, making it easier to manage permissions. Roles are used to grant temporary access to external entities or services.
With IAM, you can control and define permissions through policies. Policies are written in JSON format and specify what actions are allowed or denied on specific AWS resources. These policies can be attached to IAM entities (users, groups, or roles) to grant or restrict access to AWS services and resources.
IAM follows the principle of least privilege, meaning users and entities are given only the necessary permissions required for their tasks, minimizing potential security risks. IAM also provides features like multi-factor authentication (MFA) for added security and an audit trail to track user activity and changes to permissions.
By using AWS IAM, you can effectively manage and secure access to your AWS resources, ensuring that only authorized individuals have appropriate permissions and actions are logged for accountability and compliance purposes.
Overall, IAM is an essential component of AWS security, providing granular control over access to your AWS account and resources, reducing the risk of unauthorized access and helping maintain a secure environment.
Let's discuss about the components in IAM ? Its classified into three types such as Groups, Roles and Policies.
Groups: IAM groups are collections of users with similar access requirements. Instead of managing permissions for each user individually, you can assign permissions to groups, making it easier to manage access control. Users can be added or removed from groups as needed.
Roles: IAM roles are used to grant temporary access to AWS resources. Roles are typically used by applications or services that need to access AWS resources on behalf of users or other services. Roles have associated policies that define the permissions and actions allowed for the role.
Policies: IAM policies are JSON documents that define permissions. Policies can be attached to users, groups, or roles to control access. Policies specify the actions that can be performed on AWS resources and the resources to which the actions apply. IAM provides both AWS managed policies (predefined policies maintained by AWS) and customer managed policies (policies created and managed by you).
Here in the below Screen shot i have created some s3 buckets.
Suppose a new joinee came and he wants access only to certain AWS services. Then under IAM --> Users --> Create user section i have created an user named newjoinee-786
Under password section we have put Auto generated password.
Now as i didn't provide any default policies so by default AWS provided policies named:-- IAMUserChangePassword.
Now AWS user has been created.
Here i have downloaded the .csv file and provided it to the user. Now we logged out from the account.
Now i will click on IAM user button and then provide the aws_account_id along with IAM user name: newjoinee-786. Then it will prompt for the password change and then we will see the below screen.
Now the IAM user when he tried login we can see many of the EC2 services he is unable to access because he don't have permissions.
It shows the user has only authentication he is unable to access any of the aws resources. tO FIX this issue let's login issue to do it lets login to9 the the root user
and then under Users section (IAM--> Users --> newjoinee-786--> Add permissions
Here under permissions i select s3 with Full Access. "s3:*" it represents all permissions.
Now under permission Policies two things are added by default.
Now i have logged in to the account. After then i logged in to the account using the account_id and username and password. Here i can see the list of s3 buckets and also i can create s3 buckets.
This creation of the users each and every time and attaching permissions as per their requirement is a monotonous task instead of that we can create groups where we will add respective users with similar requirements to access a particular AWS resource.
Now i logged in to the account Under IAM---> User groups --> Create user group.
Now i have created the user group
Once group created i will add user to the group. I have added Champak and newjoinee-786 to the development group.
Now i attach AmazonEC2FullAccess.(In real time scenario i will login as IAM user while priviledges to the user)
Now i have provided EC2 full access.
Now when the user trying to access the resources he can access to the EC2 instances.
AWS CLI
What is the AWS Command Line Interface (CLI)?
The AWS Command Line Interface (CLI) is a unified tool that allows you to interact with various AWS services using command-line commands.
2. Why would you use the AWS CLI?
The AWS CLI provides a convenient way to automate tasks, manage AWS resources, and interact with services directly from the command line, making it useful for scripting and administration.
3. How do you install the AWS CLI?
You can install the AWS CLI on various operating systems using package managers or by downloading the installer from the AWS website.
4. What is the purpose of AWS CLI profiles?
AWS CLI profiles allow you to manage multiple sets of AWS security credentials, making it easier to switch between different accounts and roles.
5. How can you configure the AWS CLI with your credentials?
You can configure the AWS CLI by running the aws configure command, where you provide your access key, secret key, default region, and output format.
6. What is the difference between IAM user-based credentials and IAM role-based credentials in the AWS CLI?
IAM user-based credentials are long-term access keys associated with an IAM user, while IAM role-based credentials are temporary credentials obtained by assuming a role using the sts assume-role command.
7. How can you interact with AWS services using the AWS CLI?
You can interact with AWS services by using AWS CLI commands specific to each service. For example, you can use aws ec2 describe-instances to list EC2 instances.
8. What is the syntax for AWS CLI commands?
The basic syntax for AWS CLI commands is aws <service-name> <operation> [options], where you replace <service-name> with the service you want to interact with and <operation> with the desired action.
9. How can you list available AWS CLI services and commands?
You can run aws help to see a list of AWS services and the corresponding commands available in the AWS CLI.
10. What is the purpose of output formatting options in AWS CLI commands?
Output formatting options allow you to specify how the results of AWS CLI commands are presented. Common options include JSON, text, table, and YAML formats.
11. How can you filter and format AWS CLI command output?
You can use filters like --query to extract specific data from AWS CLI command output, and you can use --output to choose the format of the output.
12. How can you create and manage AWS resources using the AWS CLI?
You can create and manage AWS resources using commands such as aws ec2 create-instance for EC2 instances or aws s3 cp to copy files to Amazon S3 buckets.
13. How does AWS CLI handle pagination of results?
Some AWS CLI commands return paginated results. You can use the --max-items and --page-size options to control the number of items displayed per page.
14. What is the AWS SSO (Single Sign-On) feature in the AWS CLI?
The AWS SSO feature in the AWS CLI allows you to authenticate and obtain temporary credentials using an AWS SSO profile, simplifying the management of credentials.
15. Can you use the AWS CLI to work with AWS CloudFormation?
Yes, you can use the AWS CLI to create, update, and delete CloudFormation stacks using the aws cloudformation commands.
16. How can you debug AWS CLI commands?
You can use the --debug option with AWS CLI commands to get detailed debug information, which can help troubleshoot issues.
17. Can you use the AWS CLI in AWS Lambda functions?
Yes, AWS Lambda functions can use the AWS CLI by packaging it with the function code and executing CLI commands from within the function.
18. How can you secure the AWS CLI on your local machine?
You can secure the AWS CLI on your local machine by using IAM roles, IAM user-based credentials, and the AWS CLI's built-in encryption mechanisms for configuration files.
19. How can you update the AWS CLI to the latest version?
You can update the AWS CLI to the latest version using package managers like pip (Python package manager) or by downloading the installer from the AWS website.
20. How do you uninstall the AWS CLI?
To uninstall the AWS CLI, you can use the package manager or the uninstaller provided by the installer you used to install it initially.
Path to download AWS CLI :-- https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
Click the above URL and install AWS CLI, After then go to the below Link
Under Security Credentials ---> Create Access Key.(download the .csv file)
Now if i want to see the s3 bucket details then below is the command
