Introduction to IAM
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. IAM – Identity and Access Management – Used to create and manage the AWS users and groups to provide controlled access to AWS services and resources securely. We will have one Root account, which is created at first and have complete access to control AWS account. For an enterprise account, where multiple stakeholders (developers and systems admins etc) involved, it is important to give controlled authorized access to their respective services. This service is offered for free for each AWS account.
IAM can be accessed in two ways
- Go to Account –> Security, Identity & Compliance–> IAM
- Go to Account –>My Security Credentials –> Dashboard
You can check the Security Status, if they are in the orange state, we have to convert it into green i.e. healthy. Generally, there are five points to secure AWS account as below.
- Deleting root access keys
- Activating MFA on the root account
- Create Individual IAM Users
- User groups and permissions
- Apply IAM password policy
Deleting root access keys
- Root Access Keys are — Secret Key and Access Key.
- If you have root access keys, if it is in the active state, then someone will access use the resources. For that, we have to delete root access keys. Use only when it is necessary.
- To delete the keys, Go to Delete Root Access Keys tab -> Manage Security Credentials –> Delete the keys which are active
- Now Security Status should be turned into gree for Delete Root Keys in the Dashboard.
Enabling MFA for the root account
- By default, AWS account will ask for Username and Password, but root account is very important, we should enable more security.
- We will use MFA (Multi-Factor Authentication) as another layer of protection, which will provide the unique key for each login.
- We can use Virtual or Hardware MFA device to get the key. To get the key we used Google Authenticator app (smartphone app) used in the video.
- Scan the barcode to get register your device with your AWS account by clicking on “+” sign on the top right of the app.
- Enter both codes that you will be receiving on the virtual device one after the other.
- Once you add your virtual device, security status should be turned into green.
Introduction to IAM users and customizing sign in link
Why do we need to create IAM Users? – Since root account has unrestricted access to AWS account, we should create other users who have authorized access to services and resources in the AWS account. In the next, we will see how to create the IAM user and give necessary privileges.
And, in an enterprise we will have multiple stakeholders, they should be able to login into the account with ease, so we will customizing the sign-in link.
Customizing the AWS account sign-in link:
- In the dashboard, you can see IAM user sign-in link, which is unique for each AWS account.
- Click on the Customize and give the Alias (E.g.: Itversity -> Enterprise Name) in the video.
- Now the sign-in link is customized and can be shared with all the stakeholders.
In the next topic, we will see how to create IAM user, group and IAM password policy to secure AWS account more.