AWS IAM: Confusion-buster

Anuj A. Pachawadkar
5 min readApr 6, 2023
Photo by Viktor Vasicsek on Unsplash

I started using AWS services four-five years back. I started with S3 and EC2 to store images required in our application and to deploy server application respectively. I would get confused about assigning roles, it’s policies to the EC2 instances(I normally would get confused about the difference between IAM Role and IAM User; Then if role is there then what is the use of Policy etc.), however my senior would always help me with creating and assigning those roles and policies.

Then in the new organisation for almost 2–3 years we didn’t use AWS as we would deploy our solutions using docker on our organisation’s internal servers according to our project requirements.

After few years, project changed and again we shifted on cloud and that too on AWS. Now the new project had requirements to use services like AWS Glue(Job, Crawler, Workflow, Athena), AWS Lambda, EFS, S3, Step Function. The project was in Multiomics domain and was having multiple ETL pipelines. So this time there was no escape from IAM. So I did get enough time to look at IAM system.

In the Article I am going to put some light on the basic concepts of IAM system in simple words that will help beginners to go with AWS IAM smoothly.

What is IAM?

IAM is an Access Management framework of policies or rules that ensures appropriate access to technology resources to authorised and authenticated users.
Three entities involved in the system are given below with their examples:

  • Users:
    - Rahul
    - EC2 Instance
    - Lambda Function
  • Rules:
    - Sunil should have access to only S3.
    - Renuka should have access to all 4 services — S3, Lambda, EC2, EFS.
    - Leena should not have access to any resources.
    - An EC2 instance should only have access to specific folder within specific S3 bucket.
  • Resources:
    - S3
    - Lambda
    - EC2
    - EFS
IAM System

IAM User:

IAM user is an entity that you create in AWS to represent a person or application that uses it to interact with AWS.

By default User doesn’t have any permission associated with it. Every IAM user MUST have a unique login ID associated.

When a user id is created initially, they have no access to AWS resources.

IAM Policy:

IAM Policy is an object in AWS that defines the permission of a specific object.

It allows us to define at granular level access on what permissions need to be given to access a particular AWS resource.

AWS evaluates the policy and depending on that permission is granted or denied.

Policy object contains following some of the important attributes/elements:
- Statement: Main and parent element of Policy.
- Effect: it tells What happens after policy implementation. E.g. “Allow”, “Deny” etc.
- Action: It tells on which service what actions are allowed. E.g. “ec2:*”, “ec2:CreateBucket”, “s3:PutBucket”, “s3:CreateBucket” etc. It defines list of actions that will be allowed or denied. Each AWS service has its own set of actions.
- Resource: It specifies the ARN of actual AWS resource you want to implement policy upon or this action will be allowed. It defines the object that the statement covers.

All the available actions on available resources(Actions, resources, and condition keys for AWS services) can be looked up in following link:
https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html

- Example of a policy is as below:

{
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-1:838064567750:instance/i-0867a3d91e987ea1"
}
}
  • How Policy evaluation takes place:
    - Decision starts with assumption that the request will be denied.
    - Then all the attached policies are evaluated.
    - Code will look if there is any explicit deny in the policy.
    - If explicit deny found, code will look for allowed instructions and if yes then decision is Allow.
    - If no allow is found, decision is Deny.
    - Deny policy always take higher precedence over allow policy.
Image source: https://www.google.com/url?sa=i&url=https%3A%2F%2Fjayendrapatil.com%2Faws-iam-access-management%2F&psig=AOvVaw1bVWy2hNIK9Fe-KyRWsODO&ust=1680525859325000&source=images&cd=vfe&ved=0CBAQjRxqFwoTCJiyiOmci_4CFQAAAAAdAAAAABAE
  • Condition Element in an IAM Policy:
    - It allows you specify conditions for when policy is in effect.
    - We build it by making use of conditional operators like — equal, less than etc.
    - Example of condition:
"Condition": {
"DateGreaterThan": {
"aws:CurrentTime": "2017-07-12T09:00:00Z"
}
}

- Policy with condition:

{
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:us-east-1:838064567750:instance/i-0867a3d91e987ea1",
"Condition": {
"IpAddress": {
"aws:SourceIp": "11.118.03.143/32"
}
}
}
}

What is IAM Role?

IAM Role is an entity that contains a set of policies and any resource(Any AWS services like — EC2, Lambda, Glue Job etc.) assuming/using that, Role will be able to have permissions mentioned in the role.

An IAM Role is similar to an IAM User, in that(IAM User) it is AWS identity with permission policies that determine what the identity can and cannot do in AWS.

IAM Role is basically used for AWS services.

In case of IAM User it has login id and password to login to AWS console and perform certain operations which is not the case with IAM Role.

IAM Role can also be assigned to user to provide temporary access to AWS services.

Policies are attached to an IAM Role.

What is IAM Permission Boundary?

A Permission boundary is an advanced feature in which you use a managed policy to set maximum permissions that an identity-based policy can grant to an IAM entity.

When you set a permission boundary for an entity, the entity can perform only the actions that are allowed by both it’s identity-based policies and it’s permission boundaries.

IAM Permission Boundaries can only be assigned to roles.

How evaluation of Effective Permissions with Boundaries are done?

The effective permission for an entity are the permissions that are granted by all the policies associated with the user/role/account.

Within an AWS Account, the permissions for an entity can be affected by identity-based policies, resource-based policies, permission boundaries, Organisations SCPs or session policies.

IAM role is always the best choice for passing security credentials to the application.

Please feel free to comment your suggestions and additional information on the Topic. Thank you for reading!!

--

--