IAM
Structure
Global components
Accounts
An AWS account is a container for your AWS resources. AWS accounts are designated by a 12-digit unique number known as an Account ID (XXXX-XXXX-XX). AWS accounts are used together with IAM (access control) and AWS Identity to create a security boundary around a specific user by defining roles and allowed actions.
AWS Root account
To sign up for an AWS account, AWS users provide a root user e-mail address. An e-mail address can only be used as the root user e-mail address for one AWS account. The root user is considered an IAM "superuser" and has complete administrative permissions against the AWS account.
By default, root users do not have multi-factor authentication (MFA) enforced. Furthermore, root accounts that do not have MFA enabled or a phone number set are susceptible to a weak password reset workflow attack. This is commonly the case for AWS accounts created automatically using the AWS Organizations service. If an attacker gains control of the e-mail inbox for an AWS root user without MFA or a phone number on the account, the attacker will be able to send a password reset e-mail and complete a takeover of the targeted AWS account.
IAM
Authentication
The authentication procedure is composed by elements called Principals. These elements are used to define access rules to services and resources. A principal falls into one of the following categories:
Users: represent a person or an application. IAM Users are linked to a single AWS Account
Groups: allow to easily manage users by assigning group-wide roles.
Roles: a temporary privilege that can be acquired by users or resources such as lambda functions and EC2 instances
Policies: a policy defines the type of operation that a specified user or role can perform on a resource. In the case of users that are members of groups, their policies are the combination of group assigned policies and the policies to the specific user
Authorization procedure
Authentication
Access Key
Create Access Key
Configure local variables
Alternatively these variables can be configured by running the following command on the local machine
Session Token
Create Session Token
Configure local variables
Configure with aws command
Assume Role
Gain temporary access to a resource
CLI Command. The session name is arbitrary and is requested only for logging purposes.
Obtain temporary access to ECS instance. To be executed within the target instance
Generate temporary credentials for Cloudshell instance. To be executed within the Cloudshell session. These credentials can be used to grant access to the shell to other users or services.
After obtaining the credentials update the local environment
Access Control
Accounts
Create account
Change password
Granting access
Set password for AWS Console Access. If not present the IAM User is not allowed to login to AWS Dashboard and use GUI based services
Manage Access Keys
Enable/disable keys
Delete key
Last updated