Over a million developers have joined DZone.

An Introduction to AWS IAM

Looking to set up permissions for your AWS bucket? Get your feet wet with this intro into Amazon's IAM roles, including how to build one yourself.

· Cloud Zone

Download this eBook outlining the critical components of success for SaaS companies - and the new rules you need to play by.  Brought to you in partnership with NuoDB.

AWS IAM roles are a web service that gives you secured "Control Access" to AWS services for your users. IAM policies specify which services/actions are allowed or denied. You attach policies to group, users, and roles, which are then subject to permissions that you define. In other words, IAM policies define what your user can do to your AWS services.

IAM is Identity and Access management, which gives control over which user has access to which services.

Policies can be granted either from AWS API programmatically or the AWS management console. IAM gives you following features:

  • Shared access to your AWS account.

  • Granular permission.

  • Secure access to your AWS resources.

  • Identity Information.

  • Integrated with many AWS resources.

  • Free to use.

Ways to Access IAM

  • AWS management console.

  • AWS CLI.

  • AWS SDKs.

  • IAM HTTPS API.

When to Create IAM User

  • You create an AWS account and you are the only person who works in your account.

  • Create an IAM user for individuals who need access to your AWS resource. Assign appropriate permissions to each user and give him/her own credentials.

  • When you want to use the AWS CLI to work with AWS. The CLI needs credentials to make calls to AWS. Create an IAM user and give that user permission to run the CLI.

Use Case

Allow each IAM user to access to each object in bucket

Image title

In the above diagram, each user has access to his/her object in the bucket.

Instead of attaching policies to each user, policies can be attached at the group level. After that, we can add users to that group. The following policy allows a set of Amazon S3 permissons in bucketName/${aws:username} folder. When the policy is evaluated, the policy is replaced by requested username.

For example:

If Vikas sends a request to put an object, the operation is allowed only if Vikas is uploading to bucketName/Vikas folder.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:GetObjectVersion"
        ],
        "Resource": "arn:aws:s3:::examplebucket/${aws:username}/*"
    }]
}

Note: When using a policy, you must specify the version in the policy.

Version

Version specifies the current version of the policy language. It must specify it before the statement element. In this case, our version is "2012-10-17."

Statement

The Statement element is the main element of the policy. This element is required. The Statement element contains an array of individual statements. Each individual statement is a JSON block enclosed in braces { }.

Effect

The Effect element is required and specifies whether the statement will result in an allow or an explicit deny. With that in mind, valid values for Effect are Allow and Deny.

Action

The Action element describes the specific action or actions that will be allowed or denied. Each AWS service has its own set of actions that describe tasks that you can perform with that service.

Resource

The Resource element specifies the object or objects that the statement covers. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN.

That's all for now.

If you have any questions or suggestions, submit a comment below. Stay tuned for the next blog on cloud.

Learn how moving from a traditional, on-premises delivery model to a cloud-based, software-as-a-service (SaaS) strategy is a high-stakes, bet-the-company game for independent software vendors. Brought to you in partnership with NuoDB.

Topics:
aws ,cloud ,iam ,permissions

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}