Managing permissions to your Cloud | Intro to Identity and Access Management | IAM
Lots of companies run their applications & store data in Cloud. Employees and customers of a company would also interact with the Cloud. Setting up rules and regulations around who can do what is critical.
The question
- Who — deals with identifying the person. The username/password combination is one of the most popular ways to identify a person. Smartphones have taken it up a notch by using fingerprints and scanning faces. To call a REST endpoint, one can use an Access Key or API Key. All of these different solutions are part of an Authentication framework or Identity Management.
- What — deals with ensuring that person-A has visibility to only allowed Cloud resources. For example, a developer may not need access to billing information. A salesperson does not need access to create a Virtual Machine. The above statements can be mapped to a rule or permission file, which can be parsed and enforced by a Cloud provider. Management and enforcement of permissions are part of an Authorization framework or Access Management.
Combine both of the concepts together, and you get Authentication and Authorization or Identity and Access Management (IAM). Here is a list of some of the popular IAM tools (from Gartner’s market review)
- Okta SSO — Auth0
- Microsoft Azure Active Directory
- PingOne Cloud Platform
- Cisco Duo Access
Important Terminologies
Assume that person-X is trying to create/delete/access a Virtual Machine. Cloud Provider would check the permissions using the IAM component to find out, “Should person-X create/delete/access a Virtual Machine?”. In this example,
- Person-X is known as a Principal
- Virtual Machine is a resource in the Cloud
- Create/delete/access is an action or operation
In the case of IAM, permissions are created. Example of permissions:
- Create/delete/access a VM with specific configuration
- Allow read-only access to database-A
- Deny access to the super-secret database
These permissions can be grouped into a policy which can be attached to a user.
What if person-X needs ten people to work on a project? Instead of attaching a policy for each user, one can
- create a user-group for person-X’s team
- attach policy to the user-group
- add users to the user-group
Side-note
It is essential to take time while defining permissions. One should ideally follow the principle of least privilege, which states that a user should be given the least amount of permissions. Add more permissions later on if needed.
Identity and Access Management in AWS
In the case of AWS, IAM is a dedicated module. One can define policies and permissions using IAM.
IAM can also assist with
- Onboarding a user
- Add user to a group
- Attach permissions to the group or user or both
Consider the following scenario: user-X is part of group-A and group-B.
- Group-A has a policy that allows
create a VMaction &access a database - Group-B has a policy that denies
create a VMaction
What would you do if user-X wants to create a VM, access database, and create a subnet?
As one policy allows VM creation, but the other does not. When user-X tries to create a VM, the action should be denied. User-X should be able to access a database. As none of the policies linked to User-X states anything for create a subnet action, it should be denied. IAM follows the same logic.
deny an actionif any policy linked to a user has adeny permissionallow an actiononly if any policy linked to the user explicitly has an allow permissiondenyotherwise
In this post, we looked at lots of different key concepts, such as
- Authentication, Authorization
- Identity & access management
- Principle — Resource — Action
- Permission — Policy
- User-group
- Principle of least privilege
- What to do when one policy denies an action, but another policy allows it?
References
Blogs
- Wike, R., Richards, O., Macy, M., Waweru, E., Coulter, D., & Adman, N. (2022, September 6). Authentication vs. authorization — Microsoft Entra. Retrieved September 20, 2022, from https://learn.microsoft.com/en-us/azure/active-directory/develop/authentication-vs-authorization
- Wikipedia contributors. “Principle of Least Privilege.” Wikipedia, 14 Sept. 2022, Principle_of_least_privilege
- What is IAM? — AWS Identity and Access Management. (n.d.). Retrieved September 16, 2022, from https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html
- Managing access keys for IAM users — AWS Identity and Access Management. (n.d.). Retrieved September 21, 2022, from https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
- Gartner, Inc. (n.d.). Access Management Reviews 2022 | Gartner Peer Insights. Retrieved September 21, 2022, from https://www.gartner.com/reviews/market/access-management
Videos
- Highly recommended — Amazon Web Services. (2013, November 26). Access Control for the Cloud: AWS Identity and Access Management (IAM) (SEC201) | AWS re:Invent 2013 [Video]. Retrieved September 20, 2022, from https://www.youtube.com/watch?v=4OpZmBp9S0k&feature=youtu.be
- Events, A. (2019, December 9). AWS re:Invent 2019: Access control confidence: Right access to the right things (SEC316-R1) [Video]. Retrieved September 19, 2022, from https://www.youtube.com/watch?v=XO4CALyzbVM&feature=youtu.be
- AWS re:Invent 2019: [REPEAT 1] Getting started with AWS identity (SEC209-R1). (2019, December 10). [Video]. Retrieved September 19, 2022, from https://www.youtube.com/watch?v=Zvz-qYYhvMk&feature=youtu.be
- Amazon Web Services. (2014, November 14). AWS re:Invent 2014 | (SEC305) IAM Best Practices [Video]. Retrieved September 17, 2022, from https://www.youtube.com/watch?v=ZhvXW-ILyPs&feature=youtu.be
- Amazon Web Services. (2015, October 12). AWS re:Invent 2015: How to Become an IAM Policy Ninja in 60 Minutes or Less (SEC305). Retrieved September 17, 2022, from https://www.youtube.com/watch?v=Du478i9O_mc
- Amazon Web Services. (2018, November 28). AWS re:Invent 2018: [REPEAT 1] Become an IAM Policy Master in 60 Minutes or Less (SEC316-R1) [Video]. Retrieved September 17, 2022, from https://www.youtube.com/watch?v=YQsK4MtsELU&feature=youtu.be
Image
- File:Airport security check.svg — Wikimedia Commons. (2019, January 11). Retrieved September 18, 2022, from https://commons.wikimedia.org/wiki/File:Airport_security_check.svg#/media/File:Airport_security_check.svg