IAM Authentication and Authorization
Here, we will learn the concept of IAM Authentication and Authorization.
IAM authentication methods for a Principal
- User Name/Password – IAM allows to create a password policy enforcing password complexity and expiration.
- Access Key – combination of access key ID (20 characters) and an access secret key (40 characters). Used by program manipulating AWS infrastructure via API, using these values to sign REST calls to services. The AWS SDKs and tools handle all the intricacies of signing the REST calls,
- Access Key/Session Token – when a process operates under an assumed role, temporary security token provides an access key for authentication. With access key, token includes session token. Calls to AWS must include both two-part access key and the session token to authenticate.
- When an IAM user is built, it neither has an access key nor a password, and the IAM administrator can set up either or both.
- console users cannot use their credentials to run a program that accesses the AWS infrastructure.
IAM Authorization
- After IAM has authenticated a principal, next, manage access of that principal to protect the AWS infrastructure.
- Authorization is the process of specifying exactly what actions a principal can and cannot perform .
- authorization is handled in IAM by defining specific privileges in policies and associating those policies with principals.
- policy is a JSON document defining set of permissions to access and manipulate AWS resources.
- The policy documents consists of one or more permissions
- Each permission defines
- Effect – It allow or deny service – permission apply to most AWS Cloud services support granting access through IAM, including IAM itself.
- Resource – specifies specific AWS infrastructure for which this Permission applies. specified as an Amazon Resource Name (ARN) which varies slightly between services
- Action – defines subset of actions within a service that permission permits or denies. Can be specified with an enumerated list or by using wildcards (Read*).
- Condition – defines one or more additional restrictions limiting actions allowed by permission like restriction to access a resource from specific IP address range.
- sample policy allowing principal to list objects in a specific bucket and to retrieve those objects, but only if the call comes from a specific IP address.
Are you a Solution Architect Associate?Take a Quiz