Day-2-Aws
Understanding AWS IAM: Authentication and Authorization Explained
TLDR: This blog post provides a comprehensive overview of AWS Identity and Access Management (IAM), focusing on its importance for authentication and authorization in cloud environments. It covers key concepts such as users, groups, policies, and roles, illustrated through real-life scenarios and practical examples.
Hello everyone, my name is Abhishek and welcome to day two of the AWS Zero to Hero series. In this session, we will dive deep into AWS Identity and Access Management (IAM), exploring its components and practical applications. Before we begin, let’s quickly recap what we learned in day one.
Recap of Day One
In our previous session, we covered the following topics:
The concept of cloud computing.
Differences between private and public clouds.
The significance of public cloud adoption in organizations.
Why AWS is a leading cloud provider in the market today.
| Authentication | Authorization |
| when user can login to acc | when user has permission to access certain resources and can perform certain action |
| users | policies | groups | roles |
| created by root user | every user must be assigned to policy (permission) | created by root user → collection of user with same permission | Temporary user created by root user |
| Authentication | Authorization | Authorization | |
| without policy assigned to it → cant view,delete,edit → then why are we creating a user? | instead of manually assigning policy to a user —→ created user can be assigned to a group |
Today's Focus: AWS IAM
Today, we will learn about:
What AWS IAM is and why it is essential.
Key components of IAM: users, groups, policies, and roles.
A practical session to understand how these components work together.
Real-Life Scenario: Understanding IAM
To illustrate the importance of IAM, let’s consider a real-life scenario involving a bank. In a bank, there are various areas such as:
Service Desk Area: Where customers can resolve queries related to their accounts.
Employee Desk Area: Restricted to bank employees.
Sensitive Document Area: Contains confidential documents and financial information.
To maintain security, the bank implements an authentication and authorization process:
Authentication: Only authenticated individuals can enter the bank (e.g., account holders).
Authorization: Once inside, the bank verifies what areas and actions the individual is permitted to access.
Without these processes, anyone could enter the bank and access sensitive areas, leading to potential theft or data loss.
Translating the Scenario to AWS
Now, let’s translate this scenario to AWS. As a DevOps engineer, you create an AWS account for your organization. If there were no authentication and authorization mechanisms in place, anyone with root access could potentially delete critical resources, leading to catastrophic data loss.
To prevent this, AWS provides IAM, which manages authentication and authorization effectively. Here’s how it works:
Authentication: When a new employee joins, they request access to the AWS account.
Authorization: The DevOps engineer creates a user account for the employee and assigns permissions based on their role.
Key Components of AWS IAM
IAM consists of four main components:
Users: Individual accounts created for people who need access to AWS.
Policies: Documents that define permissions for users, specifying what actions they can perform.
Groups: Collections of users that share the same permissions, simplifying management.
Roles: Temporary access permissions for applications or services that need to interact with AWS resources.
Users, Policies, and Groups
When creating a user, it’s essential to attach policies that define what the user can do. For example, if a new employee needs access to a database, the DevOps engineer would create a user and attach a policy that grants read access to the database.
Groups are beneficial for managing multiple users. Instead of attaching policies to each user individually, you can create a group (e.g., Developers) and assign permissions to the group. Any user added to this group inherits the permissions, streamlining the process.
Understanding Roles
Roles are slightly different from users. They are used for applications or services that need to access AWS resources without being tied to a specific user account. For instance, if an application running on-premises needs to access an AWS database, you would create a role for that application, allowing it temporary access without creating a user account.
Practical Session: Implementing IAM
Now, let’s move to the practical part of our session. We will demonstrate how to create users, assign policies, and manage groups in AWS IAM.
Creating a User: Log into the AWS Management Console and navigate to the IAM service. Create a new user and provide them with console access.
Assigning Policies: Initially, the user will have no permissions. You can attach policies to grant them access to specific AWS services, such as S3 or EC2.
Creating Groups: To manage multiple users efficiently, create groups and assign users to these groups. This way, you can easily manage permissions for all users in a group.
login with root user (devop engineer) →has all permission
IAM → create a new user (authentication)→test-user-501, but without attach policies(authorization) to it → created user can’t do anything
login with new created user
change password
add policy to the created user (test-user-501)→ can also be added while creating the user→ s3FullAccess
after adding permission to user , now user can view list → also do CRUD operation in s3 bucket → now new s3 bucket is created
create group
add permission to group
add new user to group
add more permission to group
Conclusion
In this session, we explored the critical role of AWS IAM in managing authentication and authorization in cloud environments. We discussed the importance of users, policies, groups, and roles, and demonstrated how to implement these concepts practically.
If you have any questions or need further clarification, feel free to leave a comment. Don’t forget to share this video with anyone interested in learning AWS. Thank you for joining, and see you in the next session!