AWS Authentication and Authorization Summary

By /

AWS Authentication and Authorization Summary
Authentication – prove you are who you say you are.
Authorization – check to what you can or cannot do.
Authentication
With AWS IAM ( Identity and Access Management ) authentication is performed against principals.  Principals can be of three forms.

  • Root AWS User
  • IAM User
  • Roles / Temporary Tokens

IAM performs the authentication for all three principal types.
Roles are temporary grants from 15 minutes to 36 hours that must be renewed.
Authentication takes place one of three ways against principals.

  • Username / Password
  • Access Key – access key id (20 chars) and access secret key id (40 chars)
  • Access Key + Session Token – access key id (20 chars) and access secret key id (40 chars) + Session Token

Note: if anyone ever asks – as noted “access keys” are used for authentication – NOT encryption
Authorization Using Policies
IAM performs authorization by using policies granted to principals.
Policies are created with simply JSON documents that consist of at least three parts:

  • Effect – e.g. allow/deny
  • Service – e.g. s3:get_object
  • Resource – e.g. AWS resource in ARN format
  • Condition – optional

And look like this:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket"
  }
}

IAM policies are independent of region.
The main difference between Amazon SQS policies and IAM policies is that an Amazon SQS policy enables you to grant a different AWS account permission to your Amazon SQS queues, but an IAM policy does not.  Obviously this implies that for SQS IAM policies are not required or used – SQS has it’s own policies for SQS Message Queue access.
AWS Resource / ARN formats are here.
Assigning Policies to Principals
There are many pre-defined policies provided by AWS.  You can add your own custom policies.  See AWS Console / IAM
A common and convenient method for relating a policy to a principal / user is to group IAM users into IAM Groups – then assign policies to the group.  For non-trivial authorization task – a large # of users and or roles this method is strongly preferred.
Several other methods for granting permissions to a user exist for less robust requirements.
Note: IAM Users and Policies are global (not attached to a region).
IAM Limits Reference

IAM User Guide

IAM Roles FAQ
More from LonzoDB on AWS
 

Post Views: 5

Leave a Comment

Scroll to Top