AWS -IAM User, User Groups & Policies hands-on

SAURABH SHARMA
5 min readJan 31, 2023

A journey of AWS Associate Certification…

Generic User Access Management Module insight

saurabhshcs: Code with Saurabh — https://youtu.be/uWxMjpJfc2g

First of all, I will take you through a User Access or Identity Manager Request flow. In a web application, when a user tries to access some secure resources (Ex. MyAccount Page, Order History, Payment History, SelfCare or self-service portal, payroll or any company’s assets) then web applications application will force you to login or Register/ Signup or Showing message Contact your Administrator on an Error page.

In the following diagram, I’m trying to show you a very generic user identity module request flow that must fit most IAM or Identity Manager applications.

Credit: saurabhshcs [ Generic User Access Management Module process flow template]
Credit: saurabhshcs [ Generic User Access Management Module process flow template]
  • Actor: Simple web application as either a registered or anonymous user.
  • Hard Login: Most common authentication service invoked through a hard login mechanism for a specific stage of the user journey or a more secure application may ask you to Register/ Signup or login to the application before visiting other pages of the application.
  • Authentication Service: Basically, this is a gatekeeper service that does check an actor/user exists in the application or not along with it does verify whether the user credential (username/ password) are correct or not. If the user is authenticated then it will do some intelligent analysis for authenticated user’s authentication at that time is Suspected or not.
    If user authentication isn’t suspected then it will move to the Permission Verification Service else redirect to the Advance Authentication service.
  • Permission Verification Service: It will verify the user’s application for permission either based on the user’s assigned role, user group or inline permissions. If respective permission is granted to the user then the user will be able to access the MyAccount or self-service home page with permitted access to navigation links.
  • Advance Authentication Service: If user authentication is Suspected as yes then the application will be redirected to the “Advance Authentication service” where you may be asking for a Multi-Factor Authentication process if available or provisioned or Security Questions. If the user successfully answers these security questions, or OTP or MFA then it will redirect to verification service if not then redirect to logging again or signup or registration or it may show an error message that states that you’re not allowed to access the resource, please contact the administrator and lodge all these activities in an application authentication history for further analytics.
Credit: saurabhshcs [ Generic User Access Management Module process flow template]
Credit: Stephane Maarek | AWS Certified Associate- Developer & Architect Course @Udemy

Let’s deep dive into the AWS IAM Policies and the following are taking away from the Stéphane Maarek course on UdemyAWS Certified Solutions Architect Associate Certification SAA-C03

Developers User Group

AWS-IAM Policy & User Groups
Credit: Stephane Maarek | AWS Certified Associate- Developer & Architect Course Udemy

In the above picture, we have a group of developers, Alice, Bob & Charles and we have attached the policy at the group level. It means the policy attached to a group will be applied to each member of that user group. So that all the members of the developers' user group will inherit this policy.

AWS Console hands-on

Credit: saurabhshcs — https://www.youtube.com/watch?v=jtFqfGf6kss

Operations User Group

Operations User group — Credit: Stephane Maarek | AWS Certified Associate- Developer & Architect Course Udemy
Credit: Stephane Maarek | AWS Certified Associate- Developer & Architect Course Udemy

The second group with operations with a different policy so David and Edward will have a different policy than the group of developers.

Individual User or Inline Policy

Inline Policy- Credit: Stephane Maarek | AWS Certified Associate- Developer & Architect Course Udemy
Credit: Stephane Maarek | AWS Certified Associate- Developer & Architect Course Udemy

Fred is a user, it has the possibility of not belonging to a group. and we have the possibility to create what’s called an inline policy which has a policy that’s only attached to a user. So that user could or could not belong to a group you can have inline policies for whatever user you want.

Audit Team User Group & Inherit Policy

Audit Team user group — Credit: Stephane Maarek | AWS Certified Associate- Developer & Architect Course Udemy
Credit: Stephane Maarek | AWS Certified Associate- Developer & Architect Course Udemy

if Charles and David both belong to the audit team and you attach a policy to the audit team as well, Charles and David will also inherit that policy from the audit team. So in this case, Charles has a policy from developers and a policy from the audit team. Here David has a policy from the audit team and a policy from the operations team.

IAM Admin Policy Architecture

AWS IAM Policy Structure- https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html
Credit: https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html

Administrate Access Policy applied to the user saurabh in IAM

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}

AWSDirectConnectReadOnlyAccess Policy Structure applied to the user saurabh in IAM

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"directconnect:Describe*",
"directconnect:List*",
"ec2:DescribeVpnGateways",
"ec2:DescribeTransitGateways"
],
"Resource": "*"
}
]
}
  • Version: policy language version, always include “2012–10–17”
  • Statement: allows or denies access to certain APIs so it consists of
    - Effect: whether the statement allows or denied access (Allow/ Deny)
    - Action or Operation: is defined by a service, and includes things that you can do to a resource, such as viewing, creating, editing, and deleting that resource. For example, IAM supports approximately 40 actions for a user resource,
  • Resources: user, group, role, policy, and identity provider objects that are stored in IAM. As with other AWS services, you can add, edit, and remove resources from IAM

References:

AWS — Understanding how IAM works

saurabhshcs@github — AWS Certified Associate Level

Please follow me YouTube | saurabhshcs@github | saurabhshcs@credly | saurabhshcs@linkedin

You can view the following latest video on #chatgpt #openai on youtube.

--

--

SAURABH SHARMA

Technology Enthusiast and Open Source Technology advocate