AWS - IAM

Security, Identity, & Compliance / IAM

AWS IAM 是什麼?

Identity Access Management allows you to manage users and thier level of access to the AWS Console.

  • centralised(集中)control of your AWS account
  • Shared access to your AWS account
  • Granular(粒)Permissions(權限)
  • Identity(身份)Federation(including Active Directory, Facebook, Linkin, etc..)
  • Multifactor Authentication
  • Provide temporary access for users/devices and services where necessary
  • integrates(整合)with many deifferent aws services
  • Supports PCI DSS(Payment Card Industry Data Security Standard 支付卡行業數據安全標準)Compliance

Key Terminology For IAM

  • Users:End Users such as people, employees of an organization etc.
  • Groups:A collection of users. Each user in the group will inherit the permission of the group.
  • Policies:Policies are made up of documents, called Policy documents. These doccuments are in a format called JSON and they give permissions as to what a User/Groups/Role is able to do.
  • Roles:you create Roles and then assign them to AWS Resources.

從 AWS AIM 設定了解觀念

IMAGE

點選 Security, Identity, & Compliance / IAM 後,可以登入 Welcome to Identity and Access Management 的頁面。

其中可以點選 Customize 按鈕修改 IAM users sign-in link 的連結(無法與其他人重複)

IMAGE

成功編輯後 IAM users sign-in link 就會被替換( e.g. https://chestertang1231.signin.aws.amazon.com/console

Security Status

Activate MFA on your root account

  1. Multi-factor authentication(多重要素驗證)

又譯多因子認證、多因素驗證、多因素認證,是一種電腦存取控制的方法,用戶要通過兩種以上的認證機制之後,才能得到授權,使用電腦資源。例如,使用者要輸入 PIN 碼,插入銀行卡,最後再經指紋比對,通過這三種認證方式,才能獲得授權。這種認證方式可以提高安全性。

更生活化的例子就像是,現在的預約買口罩需要讀卡機來讀健保卡,又或者是以前玩電玩除了要先登入帳號之外,還要有 beanfun 的讀卡機來讀卡,也就是雙重認證的概念。

https://en.wikipedia.org/wiki/Multi-factor_authentication

點選 Manage MFA 來設定雙重認證,其中又分為以下三種:

  • Virtual MFA device(uthenticator app installed on your mobile device or computer)
  • U2F security key(YubiKey or any other compliant U2F device)
  • Other hardware MFA device(Gemalto token)

IMAGE

可以透過手機下載 Google authenticator APP 來進行 Virtual MFA device 驗證,當然也可依照個人喜好選擇其他雙重認證方式。

流程只需要掃描 QRcode 並輸入兩次手機 App 的 MFA-code 就可以完成。

IMAGE

  1. Create individual IAM users

IMAGE

設定完成 Multi-factor authentication 之後並點選 Manage UsersAdd Users

IMAGE

  1. Use groups to assign permissions

並且設定 Group name 及選擇 Policy name

IMAGE

之後都選擇下一步即可建立好 User & Group,完成後就會顯示 Success 的畫面:

  • 注意 Secret access keyshow 只能點擊一次,之後就無法看到
  • 建議直接下載 .csv 檔案來查看 PasswordAccess key IDSecret access key 等訊息
  • 後方的 Send Email 也可以直接寄信的使用者

IMAGE

還記得剛剛設定的 policie name 中的 AdministratorAccess 嗎?

從這個 Police AdministratorAccess 中可以看出,它事實上是一個 JSON 格式,但這又代表著什麼意思呢?可以看到巢狀裡面的 "Effect": "Allow" 代表著這個人是被允許進入的,且底下的 Action, Resource 的權限是 * 號,也就是代表著最大權限,如同 admin 的概念一樣。

1
2
3
4
5
6
7
8
9
10
  {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

IMAGE

  1. Apply an IAM password policy

IMAGE

總結

完成這些初步的設定可以大致了解到 AWS IAM 的用途,稍微做一下這篇的總結,並歸納一下這篇學到的觀念:

  • IAM is universal(通用). It does not apply to regions at this time.
  • The root account is simply the account created when first setup your AWS account. It has complete Admin access.
  • New Users have NO Permissions when first created.( e.g. 2. Create individual IAM users
  • New Users are assigned Access Key ID & Secret Access Key when first created.
  • Access Key ID & Secret Access Key are not the same as a password. You can use this to access AWS via the API and Command Line
  • You only get to view Access Key ID & Secret Access Key once. If you lost, you have to generate them.
  • Always setup Multifactor Authentication on your root account.
  • You can create and customize your own password rotation policies.( e.g. 4. Apply an IAM password policy