Identity and Access Management techniques in Amazon Cloud - BunksAllowed

BunksAllowed

BunksAllowed is an effort to facilitate Self Learning process through the provision of quality tutorials.

Community

Join WhatsApp Grpup using https://chat.whatsapp.com/EAcqRurEOXb52Ax7Tlmj9I

  • Home
    • Home Cloud Computing Technology Identity and Access Management techniques in Amazon Cloud

    Identity and Access Management techniques in Amazon Cloud

    Share This
    AWS Identity and Access Management (IAM) is a web service that facilitates secure control over access to AWS services. 
    • IAM enables the management of permissions that regulate user access to AWS resources. 
    • It is used to manage authentication (sign-in) and authorization (permissions) for resource access. 
    • It provides the essential framework for managing authentication and authorization of your AWS accounts.

    Identities

    Upon creating an AWS account, you are assigned a singular sign-in identity that possesses full access to all AWS services and resources within the account. 
     
    The AWS account root user is accessed by signing in with the email address and password used to create the account. The root user credentials should be used exclusively for the tasks designated for the root user.

    IAM is used to set up other identities in addition to root user, such as administrators, analysts, and developers, and grant them access to the resources they need to succeed in their tasks.

    IAM identities include IAM users, IAM groups, and IAM roles. An IAM entity is a type of identity that represents a human user or programmatic workload that can be authenticated and then authorized to perform actions in AWS accounts. IAM entities include IAM users and IAM roles.

    You can federate existing identities from an external identity provider. These identities will assume IAM roles to access AWS resources.
    • An IAM user is an identity within your AWS account that has specific permissions for a single person or application. 
    • An IAM user group is an identity that specifies a collection of IAM users. 
    • An IAM role is an identity within your AWS account that has specific permissions. It's similar to an IAM user, but isn't associated with a specific person.

    Access Management

    Upon configuration in IAM, a user uses their sign-in credentials to login with AWS. Authentication is achieved by aligning the sign-in credentials with a principal (an IAM user, federated user, IAM role, or application) recognized by the AWS account. A request is subsequently made to provide the principal with access to resources. Access is permitted following an authorization request if the user has been granted permission to the resource. 
     
    For instance, at initial sign-in to the console and when on the console Home page, you are not engaging with a particular service. Upon selecting a service, an authorization request is dispatched to that service, which verifies if your identity is included in the roster of authorized users, assesses the regulations governing access levels, and considers any additional applicable policies. Authorization requests may be initiated by principals within your AWS account or from a trusted external AWS account.

    Upon authorization, the principal is permitted to execute actions or conduct operations on resources within your AWS account. For instance, the principal may initiate a new Amazon Elastic Compute Cloud instance, alter IAM group membership, or eliminate Amazon Simple Storage Service buckets.

    When a principal makes a request in AWS, the AWS enforcement code checks whether the principal is authenticated (signed in) and authorized (has permissions). You manage access in AWS by creating policies and attaching them to IAM identities or AWS resources. Policies are JSON documents in AWS that, when attached to an identity or resource, define their permissions.

    During authorization, the AWS enforcement code uses values from the request context to check for matching policies and determine whether to allow or deny the request. AWS checks each policy that applies to the context of the request. If a single policy denies the request, AWS denies the entire request and stops evaluating policies. This is called an explicit deny. Because requests are denied by default, IAM authorizes your request only if every part of your request is allowed by the applicable policies. The evaluation logic for a request within a single account follows these rules:

    By default, all requests are implicitly denied. Alternatively, by default, the AWS account root user has full access.

    An explicit allow in an identity-based or resource-based policy overrides this default.

    If a permissions boundary, AWS Organizations SCP, or session policy is present, it might override the allow with an implicit deny.

    An explicit deny in any policy overrides any allows.

    After a request has been authenticated and authorized, AWS approves the request. If you need to make a request in a different account, a policy in the other account must allow you to access the resource. In addition, the IAM entity that you use to make the request must have an identity-based policy that allows the request.

    Happy Exploring!
    Tags
    Share This
    Author Image

    About BunksAllowed

    By on
    Labels: ,

    No comments:

    Post a Comment

    Note: Only a member of this blog may post a comment.

    Subscribe to: Post Comments (Atom)

    About BunksAllowed