AWS: IAM (Identity and Access Management)
Nagaraju Juluru
Lead Data Engineer | Cloud & Big Data Expert | AI-Driven Data Solutions | AWS, GCP, Snowflake, Databricks | Apache Spark | Real-Time Streaming | ETL/ELT | Data Lakehouse | Terraform | CI/CD Automation
IAM acts as basic security feature that is integrated with almost every service in AWS. IAM consists of:
A root account (account that you created on AWS) can have multiple Users, Groups and Roles which can have different permissions. In Vanguard, we don't have to worry about creating Users or Groups (They have already been created and have some global permissions with them).
Now, for our application specific use case we have to create IAM Roles and their policies.
IAM Roles have three kinds of policies:
Note:
1) IAM Users, Groups and Roles are shared over multiple regions in same root account. This means that if you create a Role in us-east-1 region then you will be able to see that Role in us-east-2 region as well.
2) We always follow Least Privilege Principle when creating policies.
AWS IAM Role Cloudformation Template
CloudFormation Template:
FeeScheduleListener:
Type: AWS::IAM::Role
Properties: RoleName: !Join [ '', [ !Ref feeScheduleListenerRole, !Ref ciBuild ]]
AssumeRolePolicyDocument: Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- !Join [ '', [ 'arn:aws:iam::', !Ref 'AWS::AccountId', ':policy/CloudWatchLogsCustomerManaged'] ]
- !Join [ '', [ 'arn:aws:iam::', !Ref 'AWS::AccountId', ':policy/KMSDecryptS3CustomerManaged' ] ]
- !Join [ '', [ 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole' ] ]
Policies:
- PolicyName: FeeIngressPolicy
PolicyDocument: Version: '2012-10-17'
Id: FeeIngressInlinePolicy
Statement:
- Effect: Allow
Resource: !Join [ ':', [ 'arn:aws:kms', !Ref 'AWS::Region', !Ref 'AWS::AccountId', 'key/*' ] ] Action: kms:Decrypt
Path: "/"