iTranslated by AI

The content below is an AI-generated translation. This is an experimental feature, and may contain errors. View original article
😎

[AWS] Can't read IAM policies? Master bulletproof user management with 'ID cards' and 'hats' analogies

に公開
AWS
Security
IAM
Active Directory
AWS 認定試験
idea

*This page contains promotions.

Introduction: The Culprit of Cloud Bankruptcy is "Leakage"

"My AWS account was hacked, and I got a bill for millions of yen..."
Have you ever heard horror stories like this?

90% of the causes are due to lax user management (IAM).
In this article, I will explain AWS's guardian deity "IAM" and "AD Integration" for corporate use, using an office entry system as a metaphor.

1. Authentication and Authorization (Face ID and Keys)

Let's distinguish between these two terms, which seem similar but are completely different.

  • Authentication:
    • Meaning: Verifying "Who are you?"
    • Example: Passing through a gate by showing your "Employee ID card" at the office reception. This includes ID/passwords and MFA (Multi-Factor Authentication).
  • Authorization:
    • Meaning: Granting permission for "What are you allowed to do?"
    • Example: "Permission data" embedded in the ID card. It's a rule like "General employees can enter the cafeteria, but not the CEO's office."

2. IAM Characters (Employees, Departments, and Hats)

Management within AWS is performed using these three entities.

  • IAM User:
    • Example: "An individual's employee ID card."
    • You create IDs for each person, like Mr. Tanaka or Ms. Suzuki.
  • IAM Group:
    • Metaphor: "Department."
    • If you attach permissions to a group called "Development," you just need to add Mr. Tanaka to the group when he transfers. This makes management easier.
  • IAM Role (Most Important):
    • Metaphor: "Sash" or "Hat" (temporary role).
    • How it works: Used when a machine (like EC2) or someone from outside "wants to temporarily become an administrator."
    • It's highly secure because it works with a time-limited "passcode" instead of a password.

3. For Enterprise: "IAM Identity Center" and "AD"

This is where "AD" comes in.
In a company with 1,000 employees, creating 1,000 IAM users on the AWS side is a lot of work, right? There's also the fear of forgetting to delete them when someone leaves.

  • IAM Identity Center (formerly SSO):
    • Role: A "common entrance" to AWS.
  • Active Directory (AD) Integration:
    • How it works: You can enter AWS using the same ID (AD account) you use to log in to your work PC.
    • Benefits: If the company processes a resignation, access to AWS is automatically revoked. This is a feature that IT admins absolutely love.

4. Don't Be Afraid of JSON (IAM Policies)

A "policy" is the document where the rules for "authorization" are written.
It might look difficult, but there are only three components to its structure:

  • Effect: Allow or Deny
  • Action: What? (s3:ListBucket = Viewing the contents of an S3 bucket)
  • Resource: To which target? (e.g., Only to example-bucket)

It simply describes "Who (Principal) can do what (Action), and whether it is allowed (Effect)."

Summary

  • For personal use: IAM User (MFA is a must!)
  • For machines or temporary use: IAM Role
  • For enterprise use: AD Integration (Identity Center)

The ultimate security measure is to seal away the "Root User (the almighty god)" and stop using it. Let's start from here!

# Finally, a Security Checklist You Can Use Starting Tomorrow

I have prepared a list to put the contents of this article into practice. Is your environment safe?

  • Are you using the root user (email address login)?
    • Use IAM users/roles for daily tasks.
  • Have you set up MFA (Multi-Factor Authentication) for the root user?
    • Not doing this is like leaving your house door unlocked when you go out.
  • Have you assigned "AdministratorAccess" to everyone?
    • Grant only the necessary permissions (Principle of Least Privilege).
  • Have you deleted IAM users for former employees?
    • With AD integration, this effort becomes zero!

Afterword

Those who master IAM, master AWS. Are you thinking, "It works because I somehow gave it FullAccess, so it's fine"? In reality, that is the same as leaving your house door wide open. The shortest path to learning IAM best practices was reading the textbook for "AWS Certified Security - Specialty." Even if you don't take the SCS exam, reading just the first half will make your design skills skyrocket.

"AWS Certified Security - Specialty"
https://amzn.to/3MKNtBM

Discussion