Understanding How IAM Works
Overview
As IAM offers the infrastructure essential to control the authentication and authorization of an account, its elements given below should also be understood by everyone.
Principal
It is a person or application that can make a request for an action or operation on an AWS resource because it is authenticated as the AWS account Root User or an IAM entity to do that. As stated before, it's strongly recommended to not use the root user credentials on daily basis, instead, create different IAM entities or support federated users or programmatic access to allow an application to access the AWS account.
Request
Whenever a Principal uses the AWS Management Console, API, or CLI, a request is sent to AWS which includes the following information-
- Actions or Operations- The actions or operations to be done for the principal can be an action in the AWS Management Console, or an operation in AWS CLI or AWS API.
- Resources- The resource object on which the actions or operations are performed.
- Principal- It's a person or application that uses an entity to send a request.
- Environment Data- It generally includes the information regarding the IP address, user agent, SSL enabled status, or the time of day.
- Resource Data- As the name suggests, it is the data related to the resource that's being requested.
Authentication
As the principal that's using their credentials to send a request to AWS must be authenticated from the console as a root user, the sign should be done via the registered email address and password. After that, the account Id (or alias), username, and password should be given. However, in order to authenticate from the API or AWS CLI, the access key and the secret key must be provided along with the any kind of additional security related information.
Authorization
Now, the request must also be authorized to complete it. The request context's values are used by AWS to check for any policies that can be applied to the request and if one want permissions to access the AWS resources in their own account, then, only the identity-based policies are required as resource-based ones are generally used for granting cross-account access. Each and every policy is checked for its permission, and even if a single one denies action, then, AWS denies the whole request and stop evaluating it which is also known as an Explicit Deny as the requests are denied by default.
Actions or Operations
After the successful authorization and authentication of a request, the actions or operations in your request are approved by AWS. Operations are the services containing the things that can be done to a resource like- viewing, creating, editing, deleting, etc. and in order to allow a principal to perform an operation, the necessary actions must be included in the policy that can apply to the principal or the affected resource.
Resources
Finally, after approval of the operations in the request, they can be now performed on the related resources within an account. A resource is an object that exists within a service and the particular service defines a set actions that can performed on each resource. However, if a request to perform an unrelated action on a resource is made, it is denied instantly.
Comments
Post a Comment