AWS IAM - Comprehensive Guide

🔐 Tổng quan về IAM

IAM là gì?

  • Identity and Access Management: Quản lý truy cập AWS resources
  • Global service: Không phụ thuộc region
  • Free: Không tính phí cho IAM service
  • Granular permissions: Fine-grained access control
  • Temporary credentials: Secure access management

👤 IAM Components

1. Users

IAM Users:
  Purpose: Individual người dùng hoặc services
  Authentication: Username/password, Access keys
  MFA: Multi-factor authentication support
  Use case: Long-term credentials

2. Groups

IAM Groups:
  Purpose: Tập hợp users với permissions giống nhau
  Policy attachment: Attach policies to groups
  Inheritance: Users inherit group permissions
  Best practice: Assign permissions to groups, not users

3. Roles

IAM Roles:
  Purpose: Temporary credentials for services/users
  Assume: Services hoặc users can assume roles
  Use cases: EC2 instances, Lambda functions, cross-account access
  Security: No long-term credentials stored

4. Policies

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*",
      "Condition": {
        "StringEquals": {
          "s3:ExistingObjectTag/Department": "Finance"
        }
      }
    }
  ]
}

📋 Policy Types

AWS Managed Policies

  • Pre-built: AWS maintains và updates
  • Common use cases: PowerUserAccess, ReadOnlyAccess
  • Best practice: Use when available

Customer Managed Policies

  • Custom: Organization-specific requirements
  • Versioning: Track policy changes
  • Reusable: Attach to multiple entities

Inline Policies

  • One-to-one: Direct attachment to user/group/role
  • Use case: Strict one-to-one relationship
  • Limitation: Cannot reuse

🎯 Permission Evaluation

Policy Evaluation Logic

1. Default DENY: All requests denied by default
2. Explicit ALLOW: Check for Allow statements
3. Explicit DENY: Deny statements override Allow
4. Final Decision: Allow only if no Deny và có Allow

Multiple Policies

User Permissions = 
  Identity-based policies (User + Groups) 
  + Resource-based policies 
  + Permissions boundaries
  - Explicit denies

🔑 Cross-Account Access

Cross-Account Role

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B:user/ExampleUser"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Resource-based Policies

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT-B:root"
      },
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::shared-bucket/*"
    }
  ]
}

🛡️ Security Best Practices

Least Privilege Principle

  • Start minimal: Grant minimum required permissions
  • Regular review: Audit và remove unused permissions
  • Just-in-time: Temporary elevated access

MFA Implementation

  • Root account: Always enable MFA
  • Privileged users: Require MFA for sensitive operations
  • Conditional MFA: Use conditions in policies

Access Keys Management

  • Rotate regularly: Change access keys periodically
  • Principle of least privilege: Limit access key permissions
  • Monitor usage: CloudTrail logs access key activity

🚀 Common IAM Patterns

EC2 Instance Role

Role: EC2-S3-Access-Role
Trust Policy: EC2 service
Permission Policy:
  - s3:GetObject on specific bucket
  - s3:PutObject on specific bucket

Lambda Execution Role

Role: Lambda-Execution-Role
Trust Policy: Lambda service
Permission Policy:
  - logs:CreateLogGroup
  - logs:CreateLogStream
  - logs:PutLogEvents
  - Additional service permissions

Cross-Account S3 Access

Scenario: Account A accesses Account B's S3 bucket
Option 1: Cross-account role in Account B
Option 2: Bucket policy in Account B
Option 3: ACLs (not recommended)

📊 IAM Tools & Features

IAM Access Analyzer

  • Purpose: Identify resources shared externally
  • Findings: Highlight potential security risks
  • Recommendations: Suggest policy improvements

IAM Policy Simulator

  • Testing: Test policies before deployment
  • Troubleshooting: Debug permission issues
  • Validation: Verify policy effectiveness

AWS CloudTrail

  • Audit: Track IAM activity
  • Compliance: Meet regulatory requirements
  • Security: Detect unauthorized access

📝 Exam Tips cho AWS SAA

Key Concepts

  • Roles vs Users: Temporary vs permanent credentials
  • Policy evaluation: Explicit deny wins
  • Cross-account: Role assumption vs resource policies
  • MFA: When và how to implement

Common Scenarios

  • EC2 accessing S3: Use IAM role, not access keys
  • Cross-account access: Use roles, not shared credentials
  • Temporary access: Use STS assume role
  • Service permissions: Use service-linked roles

📖 Tóm tắt

IAM cung cấp comprehensive identity và access management cho AWS: - Centralized control over authentication và authorization - Fine-grained permissions với policy-based access control - Secure cross-account access với roles và resource policies - Auditing và compliance với CloudTrail integration - Best practices để maintain security posture