AWS's IAM services

Natasha Ong
This is some text inside of a div block.
4 min read

In a nutshell:

MFA (Multi-factor authentication) adds an extra layer of security by asking users to provide multiple forms of identification, such as a password PLUS entering a temporary code from a mobile app.
AWS Secrets Manager helps secure sensitive information, like passwords and API keys, by managing credentials in one place and a special feature called automatic credential rotation.
AWS IAM Identity Center simplifies authentication, allowing users to log in once to access all their AWS accounts (SSO), and the choice to log in with their corporate and social media credentials (identity federation).
Cross-Account IAM Roles let users in one AWS account access resources in another without making a new IAM user.

All right, so far we've learnt these key things about IAM:

  • The root user that can do anything.
  • Users, who are individual AWS account holders, and can be organised into groups for easier permission management.
  • Policies are documents that describe permissions that you can then attach to users or groups.
  • Roles give users or services temporary access to do certain actions.

Now let's dive into some handy tools that help us be the ultimate bouncers for our AWS accounts!

Multi-factor authentication (MFA)

Have you ever signed in to a website with your password, but it also asked you to type in a code they sent to your phone or email?

That code is a second form of authentication. This is an example of multi-factor authentication (MFA), which provides an extra layer of security for your account.

You can enable MFA for the root user and IAM users. As a best practice, enable MFA for the root user and all IAM users in your account.

This is what MFA looks like for someone trying to log in:

  1. First, a user enters their IAM user ID and password to sign in to an AWS website.
  1. Next, the user is prompted for an authentication response from their AWS MFA device. This device could be a hardware security key (called Fido keys) or their own phone! You can install an MFA app on smartphones that will help verify it's really you trying to log in.
  1. When the user has been authenticated, they can access the requested AWS services or resources.

AWS Secrets Manager

Manages sensitive information such as API keys, passwords, and database credentials securely.

AWS Secrets Manager serves as the guardian of sensitive information. It offers a centralised and secure vault for API keys, passwords, and database credentials.

One of its standout features is the automatic rotation of credentials! Credential rotation = regularly updating or changing sensitive passwords or access keys, which adds an extra layer of defense against potential security threats. Changing credentials makes it harder for potential attackers to access your AWS account. Even if they do get access to your account, their access stops when your credentials update. Here's how it typically works:

  1. Set up a schedule: Pick how often you want credentials to automatically change. For example, every 30 days.
  2. Credentials update: When the scheduled rotation time comes, Secrets Manager automatically generates new credentials, such as a new password or access key.
  3. Apps and services update: The rotation works smoothly with apps or services using these credentials. Secrets Manager updates them without needing you to do it, and makes sure there are no disruptions or downtime.

AWS IAM Identity Center (AWS Single Sign-On)

AWS IAM Identity Center, previously called AWS Single Sign-On (SSO), simplifies authentication by making users log in just once to access all their AWS accounts.

SSO isn't just used in AWS:

  • Once you log into your Gmail account, you probably don't need to log in again to access YouTube. That's because Google uses SSO for their products!
  • Once you log in to your NextWork account, you wouldn't need to make a new username and password to access the community page. That's because NextWork uses SSO!

SSO brings two key benefits:

  1. Users only have to remember one username/email and password.
  2. As users change roles or leave the company, companies can just change their access in one place. Imagine if the user had to create a separate login for all the AWS accounts they were using! The person managing AWS access would have to change or disable every single account.

IAM Identity Center doesn't just help you set up SSO for your AWS accounts. It's also the place to set up federated access.

Identity federation

Identity federation means transferring identity and authentication information to another system. Users with accounts with an external party can get access to your AWS account without you needing to set up a new user. These external parties can be Amazon, Facebook, Google, or an employee's company account (for example, if a user already has a address that lets them access a company's internal resources).

AWS IAM Identity Center in action

  • The "Amazon employee single-sign-on" options = SSO
  • The "Login with Amazon" option = identity federation

Cross-account IAM Roles

Cross-account IAM Roles makes it easy for people in one AWS account to use things in another account without making a new IAM user.

To understand how it works, imagine you manage two AWS accounts called Account A and Account B:

  1. Role set up: In Account A, you create a cross-account IAM Role. You configure this role to trust Account B, and specify what things from Account A that Account B is allowed to use. It could be accessing certain services, like a database or storage.
  1. Requesting access: Now, someone in Account B can request temporary access to the Cross-Account Role in Account A. Since Account B is already trusted, Account B automatically gets access to the resources in Account A. Nice - Account B's user can use the cross-account IAM Role whenever they need something from Account A. No user creation needed!