AWS-IAM - Notes By ShariqSP

AWS Identity and Access Management (IAM) Overview

What is AWS Identity and Access Management (IAM)?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. IAM enables you to manage users, groups, roles, and permissions to securely access your AWS services and resources.

Why do we need AWS IAM?

AWS IAM provides several benefits, including:

Real-Time Use Cases of AWS IAM

Some common use cases of AWS IAM include:

AWS IAM Features

IAM Policies

IAM policies are JSON documents that define permissions. Policies can be attached to users, groups, or roles.

IAM Policies Keywords and Descriptions

IAM (Identity and Access Management) policies in AWS use specific keywords to define permissions. Below is a comprehensive list of keywords, their descriptions, and examples:

1. Version

Description: Specifies the policy language version. The most commonly used version is "2012-10-17". 


      {
        "Version": "2012-10-17"
      }

2. Statement

Description: Contains one or more permission statements. Each statement defines specific rules. 


      {
        "Statement": [
          {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::example-bucket"
          }
        ]
      }

3. Sid (Statement ID)

Description: A unique identifier for the statement. Useful for identifying statements in a large policy. 


      {
        "Sid": "ListBucketAccess"
      }

4. Effect

Description: Specifies whether the statement allows or denies the action. Values: "Allow" or "Deny". 


      {
        "Effect": "Deny"
      }

5. Principal

Description: Specifies the entity (user, role, or account) to which the policy applies. Used in resource-based policies. 


      {
        "Principal": {
          "AWS": "arn:aws:iam::123456789012:root"
        }
      }

6. NotPrincipal

Description: Specifies the entities to which the policy does not apply. 


      {
        "NotPrincipal": {
          "AWS": "arn:aws:iam::987654321098:user/ExampleUser"
        }
      }

7. Action

Description: Lists the actions (operations) that the policy allows or denies. Format: "service:action". 


      {
        "Action": ["ec2:StartInstances", "ec2:StopInstances"]
      }

8. NotAction

Description: Specifies actions that are excluded from the effect of the policy. Often used to deny a broad set of actions except specific ones. 


      {
        "NotAction": "s3:DeleteBucket"
      }

9. Resource

Description: Specifies the resource(s) to which the policy applies using ARNs (Amazon Resource Names). 


      {
        "Resource": "arn:aws:ec2:region:account-id:volume/volume-id"
      }

10. NotResource

Description: Specifies the resources to which the policy does not apply. 


      {
        "NotResource": "arn:aws:s3:::example-bucket"
      }

11. Condition

Description: Defines conditions for when the policy statement applies. Supports operators like "StringEquals", "IpAddress", etc. 


      {
        "Condition": {
          "IpAddress": {
            "aws:SourceIp": "192.0.2.0/24"
          }
        }
      }

12. Policy

Description: Refers to the entire policy document, including all statements and rules. 


      {
        "Policy": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "s3:ListBucket",
              "Resource": "arn:aws:s3:::example-bucket"
            }
          ]
        }
      }

13. AWS

Description: Refers to the AWS account or service used in a Principal or NotPrincipal element. 


      {
        "Principal": {
          "AWS": "arn:aws:iam::123456789012:role/ExampleRole"
        }
      }

14. Service

Description: Specifies an AWS service as the principal in resource-based policies. 


      {
        "Principal": {
          "Service": "ec2.amazonaws.com"
        }
      }

Complete Example Policy

This policy allows an EC2 instance to access a specific S3 bucket:


      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Sid": "S3AccessForEC2",
            "Effect": "Allow",
            "Principal": {
              "Service": "ec2.amazonaws.com"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::example-bucket",
            "Condition": {
              "StringEquals": {
                "aws:SourceVpc": "vpc-123abc"
              }
            }
          }
        ]
      }

Creating IAM Policies

Here are examples of IAM policies for different levels of access:

EC2 Read-Only Access

This policy provides read-only access to Amazon EC2 instances.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*",
                "ec2:Get*"
            ],
            "Resource": "*"
        }
    ]
}

EC2 Full Access

This policy provides full access to Amazon EC2 instances.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ec2:*",
            "Resource": "*"
        }
    ]
}

S3 Read-Only Access

This policy provides read-only access to Amazon S3 buckets and objects.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": [
                "arn:aws:s3:::example-bucket",
                "arn:aws:s3:::example-bucket/*"
            ]
        }
    ]
}

S3 Full Access

This policy provides full access to Amazon S3 buckets and objects.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::example-bucket",
                "arn:aws:s3:::example-bucket/*"
            ]
        }
    ]
}

IAM Roles

IAM roles are sets of permissions that you grant to a trusted entity. Roles are not associated with a specific user or group, but rather with a resource or service.

IAM Users

IAM users are individuals within your organization who are granted access to your AWS account. Each user has a unique set of security credentials for accessing AWS services.

Attaching Policies

To attach a policy to an IAM user, group, or role:

  1. Navigate to the IAM dashboard in the AWS Management Console.
  2. Select the user, group, or role to which you want to attach the policy.
  3. Under the "Permissions" tab, click on "Attach policies".
  4. Search for the policy you want to attach, select it, and then click "Attach policy".

Logging in as an IAM User

To log in as an IAM user:

  1. Access the AWS Management Console sign-in page.
  2. Enter the IAM user's credentials (username and password).
  3. Click on "Sign in".

Creating User Groups

To create an IAM group:

  1. Navigate to the IAM dashboard in the AWS Management Console.
  2. Click on "Groups" in the left navigation pane.
  3. Click on "Create group".
  4. Enter a name for the group and click "Next step".
  5. Attach policies to the group as needed and click "Create group".

Adding Users to Groups

To add a user to an IAM group:

  1. Navigate to the IAM dashboard in the AWS Management Console.
  2. Click on "Groups" in the left navigation pane.
  3. Select the group to which you want to add users.
  4. Click on the "Add users to group" button.
  5. Select the users you want to add and click "Add users".

IAM Policy Examples

Here are few other examples of IAM policies in JSON format:

  1. Example 1: Full Access to S3
    2. {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "s3:*",
                "Resource": "*"
            }
        ]
    }
  2. Example 2: Read-only Access to EC2 Instances
    3. {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:Describe*",
                    "ec2:Get*"
                ],
                "Resource": "*"
            }
        ]
    }
  3. Example 3: Limited Access to DynamoDB Tables
    4. {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "dynamodb:GetItem",
                    "dynamodb:PutItem",
                    "dynamodb:DeleteItem"
                ],
                "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
            }
        ]
    }
  4. Example 4: Access to CloudWatch Logs
    5. {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "logs:GetLogEvents",
                    "logs:DescribeLogStreams",
                    "logs:CreateLogStream"
                ],
                "Resource": "arn:aws:logs:us-east-1:123456789012:log-group:/MyLogGroup:*"
            }
        ]
    }
  5. Example 5: Limited Access to S3 Bucket
    6. {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject",
                    "s3:PutObject"
                ],
                "Resource": "arn:aws:s3:::my-bucket/*"
            }
        ]
    }

Understanding IAM Roles

Identity and Access Management (IAM) roles are a way to delegate temporary permissions to entities for specific tasks. Unlike users, roles are not associated with any individual or permanent credentials but are meant to be assumed by trusted entities to perform certain operations securely.

Difference Between IAM Role and User

User: IAM users represent a person or application with permanent credentials, such as an access key or password. They are designed for regular, long-term access to AWS resources.

Role: IAM roles provide temporary credentials for entities (users, applications, or services) to access AWS resources. Roles are not directly associated with an individual and are assumed when required.

Feature IAM Role IAM User
Association Not associated with a specific person or application Associated with a specific entity
Credential Type Temporary (via STS tokens) Permanent (password, access keys)
Use Case Short-term or on-demand access Continuous, long-term access
Security Model More secure; credentials are short-lived Less secure; credentials are long-lived

When to Use a Role vs. a User

  • Use a User: When a specific person or application needs continuous, long-term access to AWS services. Example: An administrator or a developer working on AWS daily.
  • Use a Role: When you want to grant temporary access to AWS resources. Example: An EC2 instance accessing an S3 bucket or a third-party application accessing your AWS account temporarily.

Real-Time Example of IAM Role

Consider a web application hosted on AWS EC2 that needs to upload files to an S3 bucket. Instead of embedding permanent access keys in the application code, an IAM role can be attached to the EC2 instance. This role has the necessary permissions to interact with the S3 bucket. The EC2 instance can then assume the role and perform the required actions securely without permanent credentials.

Detailed Explanation of IAM Roles

  • Definition: A role in AWS Identity and Access Management (IAM) is a set of permissions that allow an entity (like an AWS service, another account, or an application) to perform actions on AWS resources.
  • Temporary Credentials: IAM roles issue temporary security tokens instead of permanent credentials.
  • No Long-Term Association: Roles are not linked to specific users or services; they are assumed when required.
  • Trust Policy: Roles use trust policies to define which entities can assume them, ensuring secure delegation of permissions.

Role vs. User: Best Use Cases

  • Roles: Ideal for AWS services interaction (e.g., EC2 accessing S3), cross-account access, third-party integrations, and scenarios with high personnel turnover where permissions should not be tied to individuals.
  • Users: Best for human users or applications requiring consistent, long-term access. Example: Developers or admins needing AWS console or API access.

How to Allow an EC2 Instance to Interact with S3 (Using GUI)

1. Create an IAM Role for S3 Access

  1. Log in to the AWS Management Console and navigate to the IAM service.
  2. Click on Roles in the left-hand menu and then Create role.
  3. In the Select trusted entity step:
    • Choose AWS service.
    • Select EC2 as the use case and click Next.
  4. In the Attach permissions policies step:
    • Choose an appropriate policy:
      • For full access to S3: Select AmazonS3FullAccess.
      • For limited access: Click Create policy and use the following JSON for specific bucket access: 
                {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": [
                "s3:GetObject",
                "s3:PutObject"
              ],
              "Resource": "arn:aws:s3:::example-bucket/*"
            }
          ]
        }
  5. Save the custom policy (if created) and attach it. Name the role (e.g., EC2-S3-Access-Role) and complete the creation process.

2. Attach the Role to an EC2 Instance

  1. Go to the EC2 Dashboard in the AWS Management Console.
  2. Select the EC2 instance that needs access to S3.
  3. Click ActionsSecurityModify IAM role.
  4. In the dropdown, select the IAM role created earlier (e.g., EC2-S3-Access-Role) and click Update IAM role.

3. Verify the Role's Permissions

  1. Inside the EC2 instance:
    • Open a web browser (if GUI is enabled) or check application logs to ensure it can access S3 resources.
    • Alternatively, use an application or script configured to interact with S3 using the role's permissions.
  2. Ensure your S3 bucket has proper bucket policies if required:
    • Navigate to the S3 bucket in the S3 Console.
    • Click on the Permissions tab.
    • Confirm that the bucket policies and/or ACLs are not restricting access from the EC2 instance.

4. Example: Uploading/Downloading Files

Using an application or an AWS SDK integrated GUI, the EC2 instance can:

  • Upload Files: Store data in the assigned S3 bucket.
  • Retrieve Files: Fetch data for processing.

Benefits of Using the Console (GUI)

  • Easy-to-use interface with no need for CLI commands.
  • Clear visibility into permissions and policies.
  • Streamlined management for non-technical users.

With this setup, your EC2 instance will securely interact with S3 using the IAM role, without requiring any hardcoded credentials.

You have now successfully installed AWS CLI v2 manually on your Linux system.

Copying a File to S3 from an EC2 Instance Using AWS CLI

Amazon Web Services (AWS) allows you to copy files from an EC2 instance to an S3 bucket using the AWS Command Line Interface (CLI). This process is efficient for transferring data to cloud storage for backup, sharing, or further processing. Below is a detailed guide to achieve this.

Prerequisites

Download and Install AWS CLI on Ubuntu

Step 1: Download the AWS CLI Zip File

Open the terminal on your Ubuntu system and use the following command to download the AWS CLI installation package: 

                
                  curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"

Step 2: Extract the ZIP File

Extract the downloaded ZIP file:

                
                  unzip awscliv2.zip

If unzip is not installed, install it first:

                
                  sudo apt update
                  sudo apt install unzip -y

Step 3: Install the AWS CLI

Run the installation script:

                
                  sudo ./aws/install

Step 4: Verify the Installation

Confirm that the AWS CLI is installed:

                
                  aws --version

You should see output like aws-cli/2.x.x Python/3.x.x Linux/x86_64.

Step 5: Configure the AWS CLI

Run the following command to configure the AWS CLI:

                
                  aws configure

Provide the required information:

  • AWS Access Key ID
  • AWS Secret Access Key
  • Default region (e.g., us-east-1)
  • Default output format (e.g., json, text, or table)

Optional: Clean Up

After installation, remove the downloaded files to save space:

                
                  rm -rf awscliv2.zip aws
  • AWS Credentials Configured: Configure AWS credentials with access to the S3 bucket using: 
    aws configure
    Enter your access key, secret key, default region, and output format.
  • S3 Bucket: The target S3 bucket must exist, and the EC2 instance's IAM role (or AWS credentials) must have the required permissions to access it.
  • File to Transfer: Ensure the file you want to copy exists on the EC2 instance.

Step-by-Step Instructions

1. Check File and Directory

Ensure the file you want to transfer exists. Use the ls command to list files in the directory.

ls /path/to/your/file

2. Execute the AWS CLI Command

Use the aws s3 cp command to copy the file to your S3 bucket. The syntax is:

aws s3 cp /path/to/your/file s3://your-bucket-name/your-key

Example:

aws s3 cp /home/ec2-user/myfile.txt s3://my-bucket/my-folder/myfile.txt

This command copies the file myfile.txt to the S3 bucket my-bucket under the folder my-folder.

3. Verify the Upload

After copying, confirm the file is in the S3 bucket by listing the contents of the bucket:

aws s3 ls s3://your-bucket-name/your-folder/

Example output:


          2024-11-25 15:00:00         1234 myfile.txt

4. Additional Options

  • Recursive Copy: Use the --recursive option to copy all files in a directory: 
    aws s3 cp /path/to/your/folder s3://your-bucket-name/ --recursive
  • Dry Run: Add the --dryrun flag to preview the operation without actually copying: 
    aws s3 cp /path/to/your/file s3://your-bucket-name/ --dryrun

Troubleshooting

  • Permission Denied: Ensure your IAM role or credentials have the necessary S3 permissions (e.g., s3:PutObject).
  • Invalid Bucket Name: Verify the S3 bucket name and region.
  • File Not Found: Double-check

AWS CLI: Download and Delete S3 Bucket and Objects

The AWS CLI provides powerful commands to interact with S3 buckets. Below are the steps to download objects and delete them from an S3 bucket:

1. Download Objects from an S3 Bucket

Use the following command to download all objects from an S3 bucket to a local directory:

aws s3 cp s3:/// / --recursive

Replace <bucket-name> with the name of your bucket and <local-directory> with the path where you want to save the files.

2. Delete an Object from an S3 Bucket

To delete a specific object from an S3 bucket, use the following command:

aws s3 rm s3:///

Replace <object-key> with the path of the object you want to delete within the bucket.

3. Delete All Objects from an S3 Bucket

If you want to delete all objects in a bucket, use:

aws s3 rm s3:/// --recursive

4. Delete an S3 Bucket

After removing all objects, you can delete the bucket itself:

aws s3 rb s3:// --force

The --force option ensures that the bucket is deleted after clearing its contents.

For more information AWS CLI S3 Documentation