Amazon Identity and Access Management (IAM) is a web service that allows one to manage users and groups, and assign permissions to them as needed to improve the security of one's Amazon Web Services (AWS) account. By using IAM you can easily consolidate billing, make key rotation easier, and limit the damage that a compromised set of credentials can cause. The objective of this primer is to familiarize the reader with IAM's functionality and terminology. For more detailed documentation, see the AWS website. For help with Fedora on EC2, ask the Fedora Cloud SIG.
IAM involves several types of entities as well as permissions that you grant to entities in your AWS account.
When you sign up for AWS you create an account, an entity that centrally controls all the resources that you create and pays for all of its activity. An account is similar to the superuser on a regular computer in that it always has permission to use all of AWS's functionality. It also has a password that allows you to access the AWS website and view billing information.
A user is an entity that represents a person, a computer, or a program that can interact with AWS in the same manner as an account. Unlike an account, however, you can restrict a user to a subset of all of AWS's functionality.
Both accounts and users use security credentials to interact with AWS programmatically. Tools use security credentials to cryptographically sign the messages they send to AWS so they can prove who they represent. Whether a set of credentials belongs to a user or an account, the ways in which they are used are identical.
There are three types of security credentials:
Access keys come in pairs: a secret access key and an access key ID. Most tools require this type of credentials.
An X.509 Certificate (the same type of certificate used by web servers everywhere) comes with a matching private key. Whether or not this type of credential is necessary depends on the tools you use.
A login profile is a username and password that allow a user to log into the AWS website. Since accounts are always associated with their own passwords they cannot have login profiles.
A group is a collection of users. By sorting users into groups you can simplify user management. A given user can belong to more than one group.
A resource is an object in an AWS service that you can interact with, such as a bucket or object in Amazon S3. Resources typically have both human-readable names (e.g. mybucket) and unique, machine-readable names.
A policy states that a user or group is allowed to access a set of resources or run a set of commands in AWS. For instance, a policy may state that the S3 bucket called
mybucket should be readable by the users
bob. Alternatively, a permission may state that the user
alice has permission to run instances in Amazon EC2.
Policies can deny access instead of allowing access.
Policies are discussed in detail in Amazon's IAM documentation.
Why Use IAM?
Using account credentials for everything is akin to logging into a computer as the
root user for daily work. While it may be easier, doing so opens you up to unnecessary risks in the event of a mistake of a breach of security.
Some examples of when IAM is useful include:
- Limiting the effects of errors in automated scripts
- Providing limited, short-term accounts for a Fedora test day inside of EC2