Labs ICT
โญ Pro Login

IAM and Security

Identity and Access Management for secure cloud access

IAM and Security

Identity and Access Management (IAM) is the foundation of AWS security. It controls who can access what resources and what actions they can perform. Getting IAM right is critical โ€” misconfigured IAM is one of the top causes of cloud security breaches.

IAM Components


  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚                IAM STRUCTURE                         โ”‚
  โ”‚                                                     โ”‚
  โ”‚  Root Account (you)                                 โ”‚
  โ”‚     โ”‚                                               โ”‚
  โ”‚     โ”œโ”€โ”€ Users (individuals)                         โ”‚
  โ”‚     โ”‚    โ””โ”€โ”€ Access keys + password                 โ”‚
  โ”‚     โ”‚                                               โ”‚
  โ”‚     โ”œโ”€โ”€ Groups (collections of users)               โ”‚
  โ”‚     โ”‚    โ””โ”€โ”€ Developers, Admins, Analysts           โ”‚
  โ”‚     โ”‚                                               โ”‚
  โ”‚     โ”œโ”€โ”€ Roles (assumed by users/services)           โ”‚
  โ”‚     โ”‚    โ””โ”€โ”€ EC2 role, Lambda role, Cross-account   โ”‚
  โ”‚     โ”‚                                               โ”‚
  โ”‚     โ””โ”€โ”€ Policies (JSON permission documents)        โ”‚
  โ”‚          โ””โ”€โ”€ Allow/Deny specific actions            โ”‚
  โ”‚                                                     โ”‚
  โ”‚  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”   โ”‚
  โ”‚  โ”‚  {                                            โ”‚   โ”‚
  โ”‚  โ”‚    "Effect": "Allow",                        โ”‚   โ”‚
  โ”‚  โ”‚    "Action": "s3:GetObject",                 โ”‚   โ”‚
  โ”‚  โ”‚    "Resource": "arn:aws:s3:::my-bucket/*"    โ”‚   โ”‚
  โ”‚  โ”‚  }                                            โ”‚   โ”‚
  โ”‚  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜   โ”‚
  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Best Practices

Enable MFA: Multi-factor authentication adds a second layer of security. Enable it on all users, especially the root account.

Use least privilege: Grant only the permissions needed for the task. Start restrictive, add permissions as needed.

Use roles over access keys: IAM roles are safer than long-lived access keys. EC2 instances and Lambda functions should use roles.

Rotate credentials: Regularly rotate access keys and passwords. Use AWS Secrets Manager for automatic rotation.

Audit with CloudTrail: Log all API calls to detect suspicious activity.

IAM Policy Example


  Allow read-only access to a specific S3 bucket:
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "s3:GetObject",
          "s3:ListBucket"
        ],
        "Resource": [
          "arn:aws:s3:::my-app-bucket",
          "arn:aws:s3:::my-app-bucket/*"
        ]
      }
    ]
  }

  Deny access to everything except specific services:
  (Use SCP or permission boundaries)

Root Account Protection

Your root account has full access to everything. Lock it down: enable MFA, never use it for daily tasks, create an admin user for everyday work, and set up billing alerts to detect unauthorized usage.

๐Ÿงช Quick Quiz

What is the purpose of IAM in AWS?