IAM in cloud and setting up MFA for an IAM user

IAM in cloud and setting up MFA for an IAM user

Shamitha Reddy Regenti's photo
Shamitha Reddy Regenti
·

5 min read

IAM -> Identity and Access Management

what is IAM?

IAM allows you to manage users and their level of access to the AWS Console

Components of IAM:

  • Users: Individuals who use the cloud resources. Each user is assigned a unique identity.

  • Groups: Collections of users with similar roles or responsibilities. Permissions are assigned to groups rather than individual users, simplifying management.

  • Roles: A set of permissions that define what actions are allowed on specific resources. Roles can be assigned to users or groups.

  • Policies: Documents that define the permissions for users, groups, or roles. Policies are written in a specific syntax and determine what actions are allowed or denied. [JSON documents ]

Standard policy example:

Difference between an IAM Role and an IAM User:

User:

  1. Identity: A user is an individual entity, often representing a human user, that interacts with a system. Users are typically associated with specific individuals, employees, or end users.

  2. Authentication: Users authenticate themselves using some form of credentials such as a username and password. This is the process of proving one's identity to gain access to a system.

  3. Access: Users are granted access to resources based on their assigned permissions and roles. Their access is managed through the roles and permissions assigned to them.

Role:

  1. Identity: A role is a named collection of permissions that define what actions a user or entity can perform within a system. It is not associated with a specific individual but rather defines a set of permissions that can be assigned to multiple users.

  2. Assignment: Roles are assigned to users, groups of users, or other entities. By assigning roles to users, you can grant them the necessary permissions to perform certain actions.

  3. Access: Roles define what actions a user is allowed to perform. They encapsulate a set of permissions that are typically related to specific tasks or responsibilities.

Example :

Imagine you need to perform a Particular task using policies using Lambda, SQS , KMS and SNS, now these policies are defined individually. Now you club these policies using Role. i.e you create a role and assign these polices to that, so that any user who has this role attached could perform the task.

Key Concepts:

  • Principle of Least Privilege: Users and systems should only be granted the minimum level of access necessary to perform their tasks. This principle minimizes security risks.

  • Authentication: Verifying the identity of users or systems accessing resources. Common authentication methods include passwords, multi-factor authentication (MFA), and public/private key pairs.

Public/private keys in IAM are Access keys and secret key pairs

Below is a snippet which shows where we can see an accesskey for an IAM user

But only if you have the secretaccess key for that accesskey you'll be able to assum that iam user

  • Authorization: Determining what actions a user or system is allowed to perform after authentication. This is controlled through roles and policies.

Authentication (verifying identity) and Authorization (granting access)

  • Resource-Based vs. Identity-Based Policies: Resource-based policies are attached to individual resources (like an S3 bucket) and control who can access that resource. Identity-based policies are attached to users, groups, or roles and control their overall permissions across resources.

  • Access Control Lists (ACLs): A legacy method of defining permissions for Amazon S3 buckets and objects. They provide more granular control but can become complex to manage.

Cloud Provider Examples:

  • AWS IAM: Amazon Web Services offers IAM for managing access to its cloud services. It uses policies, roles, and users/groups to control access.

  • Azure IAM: Microsoft Azure's IAM follows a similar structure with users, groups, roles, and permissions to manage access to Azure resources.

  • Google Cloud IAM: Google Cloud Platform's IAM system uses principles of least privilege and provides a hierarchical structure for managing permissions.

Best Practices and Use Cases:

  • Multi-Factor Authentication (MFA): Requiring an additional layer of authentication, like an OTP or an authentication app ( Example: Microsoft Authenticator ), adds extra security.

  • Regular Review and Auditing: Periodically review permissions to ensure they're still appropriate and remove any unnecessary access.

  • Role-Based Access Control (RBAC): Assign permissions to roles based on job responsibilities, making it easier to manage access at scale.

  • Delegation: Allow users to assume roles temporarily to perform specific tasks without having continuous access to those resources.

Case Studies and Real-World Examples:

  • Capital One (2019):

    • In one of the most high-profile cases, a former Amazon Web Services (AWS) employee exploited a misconfigured AWS IAM role to gain unauthorized access to Capital One's Amazon S3 buckets.

    • The breach exposed sensitive data of over 100 million customers, including credit card application data, leading to a massive data breach and legal repercussions.

  • Accenture (2017):

    • A cybersecurity research team discovered four Amazon S3 storage buckets configured for public access. These buckets belonged to consulting firm Accenture.

    • The misconfiguration exposed sensitive customer data and internal company data, including passwords and decryption keys.

Brief on How to setup Multi factor authentication for an IAM user?

  1. Navigate to Users:

    • In the IAM dashboard, select "Users" from the left-hand navigation pane.

  2. Select the User to Enable MFA For:

    • Click on the username of the IAM user for whom you want to enable MFA.

  3. Navigate to the "Security credentials" tab:

    • You'll see a tab named "Security credentials." Click on it.

  1. Click on "Manage" in the "Assigned MFA device" section:

    • This will start the process of enabling MFA for the user.

    • If you're using a virtual MFA device, you can choose an app like Google Authenticator or Authy.

    • If you're using a hardware MFA device, you'll need to enter the serial number and authentication code from the device.

AWS will display a set of backup codes. Store these codes securely in case you lose access to your MFA device.

After successfully activating the MFA device, you'll receive a confirmation message. Click "Finish."

CloudCloud ComputingIAMIAM,MFA,Access key ID,Secret access keySecurity