loader image

TYPE OF TOOLS

CATEGORIES

AWS IAM x Mindflow

AWS IAM

By mindflow

AWS IAM and Mindflow have partnered to enable users to automate their incident management and better protect their information systems.

AWS IAM Overview

AWS Identity and Access Management (AWS IAM) is a service that helps you to control access to your AWS resources. Control who is authenticated and authorized to use resources.

First-time access leads you to create an AWS account root user identity with an email address and password. You’ll use it to sign in to AWS. You can sign in to the AWS Management Console using this root user identity. When you use your root user credentials, you have complete and unrestricted access to all resources in your AWS account. 

The “identity” aspect of AWS IAM helps you with the question “Who is that user?” (authentication). Instead of sharing your root user credentials with others, you can create individual IAM users within your account that correspond to users in your organization. 

IAM users are not separate accounts; they are users within your account. Each user can have their own password for access to the AWS Management Console.

The access management (authorization) portion of AWS Identity and Access Management (IAM) helps you define what a principal entity is allowed to do in an account. A principal entity is a person or application that is authenticated using an IAM entity (user or role). 

You manage access in AWS by creating policies (to define permissions) and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. AWS evaluates these policies when a principal uses an IAM entity (user or role) to make a request. Permissions in the policies determine whether the request is allowed or denied.

Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called tags. You can attach tags to IAM resources, including IAM entities (users or roles) and to AWS resources. You can create a single ABAC policy or a small set of policies for your IAM principals. 

These ABAC policies can be designed to allow operations when the principal’s tag matches the resource tag. ABAC is helpful in environments that are growing rapidly and helps with situations where policy management becomes cumbersome.

aws iam

Benefits

  • Use roles to delegate permissions to receive a temporary credentials role session
  • Grant least privilege: Determine what users (and roles) need to do and then craft policies to allow them to perform only those tasks
  • Use permissions with AWS IAM managed policies to cover common use cases 
  • Use access levels to review AWS IAM permissions: Make sure that your policies grant the least privilege that is needed to perform only the necessary actions
  • Configure a custom password policy that requires your users to create a custom password policy and optionally enforce them to rotate their passwords periodically. 
  • Enable MFA
  • Configure the program to retrieve temporary security credentials using an IAM role and not share access keys.
  • Find unused passwords or access keys using the console, using the CLI or API, or by downloading the credentials report
  • Write conditions to specify a range of allowable IP addresses that a request must come from
  • Use logging features in AWS to determine the actions users have taken in your account and the resources that were used

 

Related integrations