21 Days of AWS using Terraform — Day 10- Introduction to IAM using Terraform

What is IAM?

Identity and Access Management(IAM) is used to manage AWS

• Users
• Groups
• Roles
• Api Keys
• IAM Access Policies

and it provide access/access-permissions to AWS resources(such as EC2,S3..)

If we notice at the right hand side at the top of console it says Global i.e creating a user/groups/roles will apply to all regions

To create a new user,Just click on Users on the left navbar

By default any new IAM account created with NO access to any AWS services(non-explicit deny)

Always follow the best practice and for daily work try to use a account with least privilege(i.e non root user)

IAM Policies: A policy is a document that formally states one or more permissions.For eg: IAM provides some pre-built policy templates to assign to users and groups

• Administrator access: Full access to AWS resources
• Power user access: Admin access except it doesn’t allow user/group management
• Read only access: As name suggest user can only view AWS resources

Default policy is explicitly deny which will override any explicitly allow policy

Let take a look at these policies

AdministratorAccess

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "*",
      "Resource": "*"
    }
  ]
}

We can create our own custom policy using policy generator or written from scratch

So Custom Policy where everything denies for EC2 resources

{
 “Version”: “2012–10–17”,
 “Statement”: [
 {
 “Sid”: “Stmt1491718191000”,
 “Effect”: “Deny”,
 “Action”: [
 “ec2:*”
 ],
 “Resource”: [
 “*”
 ]
 }
 ]
}

• More than one policy can be attached to a user or group at the same time
• Policy cannot be directly attached to AWS resources(eg: EC2 instance)
• There is a really nice tool https://policysim.aws.amazon.com which we can use to test and troubleshoot IAM and resource based policies

Below is the simulation I run where I created a test user who has only Amazon S3 read only access

Now let me run the simulation,as you can see it’s a nice way to test your policies

To read the complete blog

21 Days of AWS using Terraform - Day 10- Introduction to IAM using Terraform

Looking forward for you guys to join this journey

• Website: http://100daysofdevops.com/
• Twitter: @100daysofdevops OR @lakhera2015
• Facebook: https://www.facebook.com/groups/795382630808645/
• Medium: https://medium.com/@devopslearning
• GitHub: https://github.com/100daysofdevops/100daysofdevops
• Slack: https://join.slack.com/t/100daysofdevops/shared_invite/enQtNzg1MjUzMzQzMzgxLWM4Yjk0ZWJiMjY4ZWE3ODBjZjgyYTllZmUxNzFkNTgxZjQ4NDlmZjkzODAwNDczOTYwOTM2MzlhZDNkM2FkMDA
• YouTube Channel: https://www.youtube.com/user/laprashant/videos?view_as=subscriber

In addition to that, I am going to host 5 meetups whose aim is to build the below architecture.

• Meetup: https://www.meetup.com/100daysofdevops
• Day1(Nov 10): Introduction to Terraform https://www.meetup.com/100daysofdevops/events/266192294/
• Day 2(Nov 16): Building VPC using Terraform
• Day 3(Nov 17): Creating EC2 Instance inside this VPC using Terraform
• Day 4(Nov 23): Adding Application Load Balancer and Auto-Scaling to the EC2 instance created on Day 3
• Day5(Nov 24): Add Backend MySQL Database and CloudWatch Alarm using Terraform