# Copy of AWS Identity & Access Management (IAM) Fundamentals ## **What is AWS IAM?** AWS Identity & Access Management (IAM) is the foundation of **secure access control** in AWS. It manages **who** can access AWS resources, **what** they can do, and **how** access is granted. ### **Key IAM Features** * User authentication & authorization * Granular access controls with policies * Role-based access management (RBAC) * Temporary security credentials for workloads * Integration with Identity Providers (Okta, Azure AD, etc.) ### **How SecureCart Uses IAM** SecureCart uses IAM to **control access to AWS services and resources** while following **security best practices** to protect customer data, prevent unauthorized changes, and enable seamless operations. ### Examples * Developers need to manage deployments but should NOT have full admin access. * SecureCart’s EC2 instances need to retrieve product images from S3 **without storing credentials**. * A Lambda Function Needs to Process Payments Using AWS Secrets Manager * SecureCart’s CI/CD Pipeline in the `DevOps` Account Needs to Deploy to `Production` * SecureCart’s security engineers **should be able to audit AWS resources but NOT make changes**. | **Scenario** | **IAM Solution** | | ------------------------------------------------- | ----------------------------------------------------- | | **Developer Access to AWS Accounts** | IAM Identity Center (SSO) with Permission Sets | | **EC2 Access to S3 for Product Images** | IAM Role assigned to EC2 instance | | **Lambda Access to Secrets Manager for Payments** | IAM Role with Secrets Manager read access | | **CI/CD Deployment Across Accounts** | Cross-account IAM Role assumption | | **Security Team Read-Only Audits** | IAM Identity Center Group with `SecurityAudit` policy | *** ## **IAM Users** * IAM Users represent individuals who need access to AWS. * Each IAM User has unique credentials (password, access keys, MFA) and can have assigned permissions. ### **How SecureCart Uses IAM Users** * Only used for break-glass access (not for daily work). * SecureCart relies on IAM Identity Center (SSO) instead of IAM Users for authentication. * MFA is required for any IAM User with AWS Management Console access. *** ## **IAM Groups** * IAM Groups **combine multiple IAM Users** and assign permissions to them collectively. * Instead of assigning policies **one by one**, a **group policy applies to all users inside the group.** #### **How SecureCart Uses IAM Groups** * SecureCart avoids IAM Groups in favor of IAM Identity Center (SSO). * If IAM Groups were needed, SecureCart would create * `Billing-ReadOnly` (Finance Team) * `Security-Audit` (Security Team) * `DevOps-Admin` (Operations Team) *** ## **IAM Policies** * IAM Policies define permissions for users, groups, or roles. * They specify who can do what on which resources. ### **Types of IAM Policies** * AWS-Managed Policies → Predefined by AWS (e.g., `AdministratorAccess`, `ReadOnlyAccess`). * Customer-Managed Policies → Custom policies SecureCart creates for fine-grained control. * Inline Policies → Directly attached to users, groups, or roles (not reusable). ### **How SecureCart Uses IAM Policies** * Least privilege (Only allow necessary actions). * Deny dangerous actions like deleting databases. * Use AWS-Managed Policies for standard use cases. *** ## **IAM Roles** * IAM Roles provide temporary permissions to users, AWS services, or applications. * Unlike IAM Users, IAM Roles do not have permanent credentials. ### **IAM Role Use Cases** * Applications running on EC2, Lambda, or ECS that need access to AWS services. * Cross-account access between different AWS accounts. * Temporary security credentials for users via AWS STS. ### **How SecureCart Uses IAM Roles** * SecureCart EC2 instances assume IAM Roles to access S3 securely. * Developers assume IAM Roles instead of using IAM Users. * Cross-account roles allow CI/CD to deploy across multiple AWS accounts *** ### **IAM Identity Center (SSO)** * IAM Identity Center (formerly AWS SSO) provides centralized authentication for multiple AWS accounts. * It eliminates the need for IAM Users by integrating with identity providers like Okta, Azure AD, or Google Workspace. ### **How SecureCart Uses IAM Identity Center** * Developers log in once and access multiple AWS accounts. * IAM Identity Center groups replace IAM Groups. * Enforces MFA and session timeouts for security. ### **Example of IAM Identity Center Group Setup** | **IAM Identity Center Group** | **AWS Permissions Assigned** | | ----------------------------- | ---------------------------- | | `SecureCart-Developers` | AWSCodeDeployFullAccess | | `SecureCart-Security` | SecurityAudit | | `SecureCart-Finance` | Billing | *** ## **AWS Security Best Practices for IAM** ### **SecureCart's IAM Security Checklist** * Use IAM Identity Center (SSO) instead of IAM Users * Require MFA for all human access * Use IAM Roles instead of long-term IAM credentials * Follow the principle of least privilege in IAM Policies * Enable IAM Access Analyzer to detect misconfigurations * Use AWS CloudTrail to log IAM activity #### #### #### **Scenario:** **SecureCart’s security team is tasked with setting up secure IAM access for engineers, ensuring that only authorized users and services have access to AWS resources.** #### **Key Learning Objectives** * **Understand IAM Users, Groups, and Roles** * **Enforce MFA on IAM users and the root user** * **Learn about the AWS Shared Responsibility Model** * **Apply AWS security best practices for access control** ## **Introduction** [**SecureCart Organizational Structure & AWS Access Roles**](https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/securecart#securecart-organizational-structure-and-aws-access-roles) ### **AWS Access Requirements by Role** | | | | | ----------------------- | ---------------------------------------------- | ---------------------------------------------- | | **Role** | **Access Level** | **AWS Services Required** | | **CTO** | Read-only | AWS Billing, Cost Explorer, Budgets | | **Finance Team** | Billing & Cost Access | AWS Billing, AWS Cost Explorer | | **DevOps Team** | Full Admin (Non-Prod), Restricted Admin (Prod) | IAM, EC2, VPC, RDS, CloudFormation, Route 53 | | **Software Developers** | Limited (Deploy Only) | ECS, Lambda, API Gateway, DynamoDB, CloudWatch | | **Data Engineers** | Full Access to Data Services | Redshift, S3, Glue, DynamoDB, Athena | | **Security Team** | Full Security Admin | IAM, GuardDuty, Security Hub, CloudTrail | | **Customer Support** | Read-Only | DynamoDB (customer and order data) | | **Product Management** | Read-Only | CloudWatch, DynamoDB | ## ## **SecureCart - Single AWS Account Setup (IAM-Based)** **This setup is used when SecureCart operates within a single AWS account, managing access through IAM roles and IAM policies.** ### **Step 1: Create IAM Roles for Each Business Unit** **Why? IAM Roles provide temporary credentials instead of static IAM users, improving security.** #### **Create IAM Roles & Attach Policies** **Use the AWS Console or CLI to create IAM Roles for each team.** **Example CLI Command to Create an IAM Role for Developers** ```sh shCopyEditaws iam create-role --role-name SecureCartDeveloperRole \ --assume-role-policy-document file://developer-trust-policy.json ``` **Trust Policy (`developer-trust-policy.json`)** ```json jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:user/developer" }, "Action": "sts:AssumeRole" } ] } ``` **📌 Attach a Policy (Limited Access to Deployment Services)** ```sh shCopyEditaws iam attach-role-policy --role-name SecureCartDeveloperRole \ --policy-arn arn:aws:iam::aws:policy/AWSCodeDeployFullAccess ``` *** ### **🔹 Step 2: Assign IAM Roles to Users** **1️⃣ Go to AWS IAM Console**\ **2️⃣ Select "Users" → Choose User → Assign Role**\ **3️⃣ Choose the appropriate role (e.g., SecureCartDeveloperRole)**\ **4️⃣ Save changes** **🔹 Now, Developers must "AssumeRole" to gain AWS permissions.** **📌 Example: Assume Role via AWS CLI** ```sh shCopyEditaws sts assume-role --role-arn arn:aws:iam::111122223333:role/SecureCartDeveloperRole \ --role-session-name DeveloperSession ``` *** ### **🔹 Step 3: Enforce MFA for AWS Console Access** **📌 Why? Improves security by preventing unauthorized access.** **1️⃣ Go to AWS IAM Console → Users → Security Credentials**\ **2️⃣ Enable MFA for each user**\ **3️⃣ Require MFA in IAM Policies** **📌 Example IAM Policy to Enforce MFA** ```json jsonCopyEdit{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "BoolIfExists": { "aws:MultiFactorAuthPresent": "false" } } } ] } ``` ## **SecureCart Multi-Account IAM Identity Center Setup** ### **🔹 Overview** **SecureCart needs a centralized access management solution to allow different teams to securely access multiple AWS accounts with appropriate permissions.** #### **✅ Key IAM Identity Center Components** 1. **Users & Groups → Define who has access** 2. **Permission Sets → Define what permissions are granted** 3. **Account Assignments → Assign permission sets to groups/users at the AWS account level** *** ### **🔹 Step 1: Enable AWS IAM Identity Center (SSO)** **📌 Why?**\ **Provides SSO-based access across multiple AWS accounts, eliminating the need for IAM users.** #### **Implementation Steps:** **1️⃣ Go to AWS Organizations Console → Enable IAM Identity Center**\ **2️⃣ Choose an Identity Source:** * **Built-in AWS Identity Center Directory (Default)** * **External Identity Provider (Azure AD, Okta, Google Workspace)**\ **3️⃣ Configure IAM Identity Center login portal** * **AWS generates a unique SSO login URL for SecureCart employees** **📌 Example CLI Command to Enable IAM Identity Center** ```sh shCopyEditaws sso-admin create-instance --region us-east-1 ``` *** ### **🔹 Step 2: Create IAM Identity Center Groups** **📌 Why?**\ **IAM Identity Center Groups simplify permission management by allowing multiple users to inherit permissions instead of assigning them individually.** #### **✅ Create Groups for Each SecureCart Business Unit** **1️⃣ Go to IAM Identity Center Console → Groups → Create Group**\ **2️⃣ Create the following Groups:** * **`SecureCart-DevOps`** * **`SecureCart-Developers`** * **`SecureCart-Security`** * **`SecureCart-Finance`** * **`SecureCart-Support` 3️⃣ Add Users to the Groups** **📌 Example CLI Command to Create a Group** ```sh shCopyEditaws sso-admin create-group --name SecureCart-Developers --instance-arn arn:aws:sso:::instance/ssoins-EXAMPLE ``` *** ### **🔹 Step 3: Create Permission Sets** **📌 Why?**\ **Permission Sets define the AWS permissions for each team. These are assigned at the AWS account level.** #### **✅ Define Permission Sets** **1️⃣ Go to IAM Identity Center Console → Permission Sets → Create New Set**\ **2️⃣ Choose AWS-Managed Policies or Custom Policies**\ **3️⃣ Assign Session Duration (default: 1 hour, max: 12 hours)**\ **4️⃣ Repeat this for each business unit** **📌 Example Permission Sets for SecureCart Teams** | **Group** | **Permission Set** | **Attached IAM Policies** | | ----------------------- | -------------------------------------- | ----------------------------------------------------- | | `SecureCart-DevOps` | **SecureCart-DevOps-PermissionSet** | `AdministratorAccess` | | `SecureCart-Developers` | **SecureCart-Developer-PermissionSet** | `AWSCodeDeployFullAccess`, `CloudWatchReadOnlyAccess` | | `SecureCart-Security` | **SecureCart-Security-PermissionSet** | `SecurityAudit`, `IAMReadOnlyAccess` | | `SecureCart-Finance` | **SecureCart-Finance-PermissionSet** | `Billing` | | `SecureCart-Support` | **SecureCart-Support-PermissionSet** | `ReadOnlyAccess` | **📌 Example CLI Command to Create a Permission Set** ```sh shCopyEditaws sso-admin create-permission-set \ --instance-arn arn:aws:sso:::instance/ssoins-EXAMPLE \ --name SecureCart-Developers-PermissionSet \ --description "Developer access to AWS services" \ --session-duration PT8H ``` *** ### **🔹 Step 4: Assign Groups to AWS Accounts** **📌 Why?**\ **Permission Sets are assigned at the AWS account level, ensuring users can only access the accounts they need.** #### **✅ Assign Groups to AWS Accounts** **1️⃣ Go to IAM Identity Center Console → AWS Accounts**\ **2️⃣ Select the AWS account (e.g., `SecureCart-Production`, `SecureCart-Dev`)**\ **3️⃣ Click Assign Users & Groups**\ **4️⃣ Select the SecureCart Group (e.g., `SecureCart-Developers`)**\ **5️⃣ Assign the corresponding Permission Set**\ **6️⃣ Click Save** **📌 Example CLI Command to Assign a Group to an AWS Account** ```sh shCopyEditaws sso-admin create-account-assignment \ --instance-arn arn:aws:sso:::instance/ssoins-EXAMPLE \ --target-id 123456789012 \ --target-type AWS_ACCOUNT \ --principal-id SecureCart-Developers \ --principal-type GROUP \ --permission-set-arn arn:aws:sso:::permissionSet/ssoins-EXAMPLE/ps-EXAMPLE ``` *** ### **🔹 Step 5: User Login & Access via AWS SSO** **📌 Why?**\ **Instead of manually switching IAM roles, users log in via AWS SSO and are automatically assigned role-based access.** #### **✅ How Users Access AWS** **1️⃣ Users go to the AWS IAM Identity Center Portal (SSO URL)**\ **2️⃣ Login using corporate credentials**\ **3️⃣ Select the AWS Account & Role they have access to**\ **4️⃣ They are granted console or CLI access automatically** **📌 Example: AWS SSO Login for Developers** ```sh shCopyEditaws sso login --profile SecureCart-Developers ``` *** ## **Summary: Single vs. Multi-Account Implementation** | **Feature** | **Single Account (IAM-Based)** | **Multi-Account (IAM Identity Center-Based)** | | ----------------------- | -------------------------------- | --------------------------------------------- | | **User Authentication** | IAM Users | AWS IAM Identity Center (SSO) | | **Access Control** | IAM Roles | IAM Identity Center Groups & Permission Sets | | **Role Switching?** | Users must assume roles manually | Seamless via AWS SSO | | **Permissions Model** | IAM Policies per Role | Permission Sets per Account | | **Best for** | Standalone AWS Accounts | Multi-Account AWS Organizations | *** ## **For multi-account AWS Organizations setups, SecureCart centralizes access control using AWS IAM Identity Center (SSO).** ### **Step 1: Enable AWS IAM Identity Center (SSO)** **Why? Provides centralized identity management across multiple AWS accounts.** **Go to AWS Organizations Console → Enable IAM Identity Center**\ **Choose an Identity Source:** * **Built-in AWS Identity Center Directory** * **External IdP (Okta, Azure AD, Google Workspace)** **📌 Example CLI Command to Enable IAM Identity Center** ```sh shCopyEditaws sso-admin create-instance --region us-east-1 ``` *** ### **Step 2: Create IAM Identity Center Groups** **📌 Why? Groups simplify permission assignments for multiple users.** #### **✅ Create Groups for Each Business Unit** **1️⃣ Go to IAM Identity Center Console → Groups → Create Group**\ **2️⃣ Example Groups:** * **`SecureCart-DevOps`** * **`SecureCart-Developers`** * **`SecureCart-Security`** * **`SecureCart-Finance`** * **`SecureCart-Support` 3️⃣ Add Users to Respective Groups** *** ### **Step 3: Assign Permission Sets to IAM Identity Center Groups** **📌 Why? Permission Sets are predefined IAM roles assigned to Identity Center users.** #### **Create Permission Sets** **1️⃣ Go to AWS IAM Identity Center Console → Permission Sets → Create New Set**\ **2️⃣ Select AWS-Managed Policies or Custom Policies** * **`SecureCart-DevOps` → AdministratorAccess** * **`SecureCart-Developers` → AWSCodeDeployFullAccess** * **`SecureCart-Security` → SecurityAudit** * **`SecureCart-Finance` → Billing** * **`SecureCart-Support` → ReadOnlyAccess 3️⃣ Assign Permission Sets to Groups** **Example CLI Command to Assign a Permission Set** ```sh shCopyEditaws sso-admin create-permission-set \ --instance-arn arn:aws:sso:::instance/ssoins-EXAMPLE \ --name SecureCart-Developers \ --description "Developer access to AWS services" \ --session-duration PT8H ``` *** ### **Step 4: Assign Groups to AWS Accounts** **📌 Why? This allows IAM Identity Center users to assume roles only in permitted accounts.** **1️⃣ Go to IAM Identity Center Console → AWS Accounts → Assign Users & Groups**\ **2️⃣ Choose the SecureCart Group (e.g., `SecureCart-Developers`)**\ **3️⃣ Assign the corresponding permission set**\ **4️⃣ Click Save** **🔹 Now, users log in via AWS IAM Identity Center (SSO) and get role-based access.** **📌 Example: IAM Identity Center Console Access** * **Users log in via AWS SSO URL.** * **Choose the assigned AWS account & IAM Role.** * **No need for manual IAM Role switching.** *** ### **🎯 Summary: Single vs. Multi-Account Setup** | **Feature** | **Single Account (IAM-Based)** | **Multi-Account (Identity Center-Based)** | | ----------------------- | -------------------------------- | -------------------------------------------- | | **User Authentication** | IAM Users | AWS IAM Identity Center (SSO) | | **Access Control** | IAM Roles | IAM Identity Center Groups & Permission Sets | | **Best for** | Standalone AWS Accounts | Multi-Account AWS Organizations | | **IAM Groups Needed?** | Maybe (for legacy users) | ❌ No (Use Identity Center Groups) | | **Role Switching?** | Users must assume roles manually | Seamless via AWS SSO | ### ### ### **IAM Policies & Permissions Model** **SecureCart follows the principle of least privilege, meaning each team gets only the permissions necessary to perform their job.** #### **✅ Implementation Steps:** **1️⃣ Enable AWS IAM Identity Center (SSO)** * **Integrate Azure AD, Okta, or Google Workspace for authentication.** * **Define SSO permission sets for different roles.** **2️⃣ Create IAM Roles for Each Team** * **DevOpsRole (Admin in non-prod, restricted in prod).** * **DeveloperRole (Deploy access, no security permissions).** * **SecurityRole (IAM & Security services access only).** * **SupportRole (Read-only to customer order database).** * **FinanceRole (Billing access only).** **3️⃣ Apply IAM Policies with Least Privilege** * **Restrict DevOps team to modify infrastructure but not IAM.** * **Ensure Developers can deploy but not access customer data.** * **Allow Finance to view AWS bills without modifying resources.** * **Block Support from accessing anything except order-related DynamoDB tables.** **4️⃣ Use AWS Organizations & SCPs for Governance** * **Deny actions like `iam:CreateUser`, `s3:PutBucketPublicAccessBlock` across all accounts.** * **Enforce security best practices at the organization level.** **5️⃣ Enable AWS IAM Access Analyzer** * **Continuously scan for overly permissive IAM policies.** * **Detect unintended public access to AWS resources.** ### **AWS Identity & Access Best Practices for SecureCart** **✅ Use IAM Roles for Applications & Services – No hardcoded credentials.**\ **✅ Enable Multi-Factor Authentication (MFA) – Required for all human users.**\ **✅ Monitor IAM Usage with AWS CloudTrail – Track API calls for security audits.**\ **✅ Implement Temporary Credentials with AWS STS – Use AssumeRole instead of long-term IAM users.**\ **✅ Use Resource-Based Policies for Specific Permissions – Example: Secure S3 access with bucket policies.** #### **Hands-on Labs:** **1️⃣ Enable MFA for Root & IAM Users**\ **2️⃣ Create IAM Groups & Assign Least Privilege Access**\ **3️⃣ Implement IAM Policies to Restrict Overly Permissive Access** **🔹 Outcome: SecureCart implements strong IAM security controls, ensuring that only authorized users have access.** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/copy-of-task-statement-1.1-design-secure-access-to-aws-resources/copy-of-aws-identity-and-access-management-iam-fundamentals.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.