Amazon Web Service (AWS) Identity and Access Management (IAM)

Giriş

Açıklaması şöyle

- Configure and manage users.

- This service is an integral part of AWS.

IAM Bileşenleri

1. Users

Açıklaması şöyle

Users are individual AWS accounts that can be granted access to your AWS resources. You can assign users specific permissions with policies or assign them to groups so they inherit the group's permissions. This means you can give different levels of access to certain services and control what types of actions each user is able to perform. 

2. Groups

Açıklaması şöyle

Groups are collections of users that share the same set of permissions. When you assign a policy to a group, all members of the group will receive those same permissions. AWS IAM groups provide a secure and consistent way for teams with varying needs and roles to access cloud resources without needing multiple administrative logins.

3. Policies

Açıklaması şöyle

Policies define what actions a user or service may take on AWS resources. They are written using JSON and contain one or more statements that control who has access, what actions they may take, and which resources they can access. Policies are assigned to users or groups and govern how they interact with AWS resources, such as Amazon S3 buckets and EC2 instances. 

Örnek

Şöyle yaparız

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket"
  }
} 

4. Roles

Açıklaması şöyle

Roles are similar to groups. They also have associated policies, but roles are not tied to a particular user or group. They can be used to grant limited access to applications and users, allowing for greater security and control over resources. For example, an IAM Role can be assigned to an IAM user, and this role will determine what part of the AWS environment they have access to, such as EC2 instances or S3 buckets. Each IAM Role also includes a set of permissions rules which further limit what user activities can be performed within that role's scope. 

Resource-Based Policy ve IAM Farkı

Açıklaması şöyle

A resource-based policy is a mechanism available on several types of AWS resources that allows granting access directly to the resource. In contrast to an IAM policy, which can only grant permissions to the principals managed in the account, a resource-based policy allows granting access to principals outside the account.

Örnek

Şöyle yaparız

{
  "Sid": "AllowAccessToExternalAccount",

  "Effect": "Allow",

  "Principal": {

    "AWS": "arn:aws:iam::<ACCOUNT_ID>:root"

  },

  "Action": [

     "<service>:<PermissionName>"

    ],

  "Resource": "<RESOURCE_ARN>"

 }  

Açıklaması şöyle

In this case, the “Principal” field is specified with a configuration that allows another account, via IAM policies, to grant access to the principals in it. 

Ancak şöyle yapmak tehlikeli. Bu durumda AWS içindeki herkese hak verilmiş oluyor

{
  "AWS": "*"
}

IAM Örnekleri

Örnek - Kullanıcı Yaratma

Adımlar şöyle

- Login to your AWS account and open IAM service. Click Users under Access Management.

- Click Add users button to set the user details and credential type as shown below.

- Enter jmeter-s3-access in User name and check Access key - Programmatic access.

- This user will have access to the AWS service programmatically, not from the user console. Click Next: Permissions.

- In the Set permissions section, click Attach existing policies directly, and filter the policies of S3 by typing s3.

- For the demonstration purpose, let us go with AmazonS3FullAccess. Check AmazonS3FullAccess and then click Next: Tags. But for the production server, follow the zero trust framework.

- Adding tags is optional, but it is recommended to have relevant key-pair values.

- Click Review and then click on Create user.

- Copy the Access key ID and Secret access key to a secured location. Alternatively, you can download the .csv file.

Örnek - Access Key Yaratma

Adımlar şöyle

Go to Services -> IAM -> Users -> Your-User-Name -> Security Credentials -> Create Access Key.

Örnek - Role Yaratma

Adımlar şöyle. Burada SNS'i tüketecek Lambda için role yaratılıyor

- Open the IAM console and click on Roles.

- Click on Create Role.

- Select Lambda from the use cases list and click next.

- In attach permission policies, search for SNS.

- Choose Read-Only Access from the list.

- Finish the steps by given the role a descriptive name.

Önce "services" seçiliyor. Daha sonra bu service için "use cases" seçiliyor. Burada EKS için iki tane "use case" şöyle

Örnek - Role Yaratma

Adımlar şöyle

Search for IAM Service in the search bar.

On to right side

Access Management -> Roles

Click on Create role.

Select type of trusted entity as AWS Service

Choose a use case as EC2.

Click on the Next: Permissions button

On the permission page, select AmazonEC2RoleforAWSCodeDeploy policy and click on the Next: Tags button.

Leave the Tags tab as it is optional and click on the Next: Review button.

Pass ec2_role as Role name and click on Create Role button.

Open the ec2_role role and go to the Trust Relationships tab.

Click on the Edit trust relationship tab. Copy-paste the below content and click on the Update Trust Policy button.

{

  “Version”: “2012-10-17”,

  “Statement”: [

    {

      “Effect”: “Allow”,

      “Principal”: {

        “Service”: “ec2.amazonaws.com”

      },

      “Action”: “sts:AssumeRole”

    }

 ]

}