When it comes to understanding security in AWS, we should begin by understanding the basics of resource access authorization. So that you can fully understand how this works in AWS, let’s use the simple (and common) example of EC2 access.
As you know, EC2 is a common component used in AWS architectures, and it provides a common example that also applies to many other resources. EC2 permits you to create virtual machines in your AWS cloud and is an alternative to the serverless compute capabilities of AWS.
Remember that your security credentials identify you to services in AWS and grant you potentially unlimited use of your AWS resources if the policy permits. You can use features of EC2 and Identity and Access Management (IAM) to:
- Allow other users, services, and applications to use your EC2 resources without sharing your security credentials
- Control how other users use resources in your AWS account
- Use security groups to control access to your EC2 instances
- Allow full use or limited use of your EC2 resources
Remember, a security group acts as a firewall that controls the traffic allowed to reach one or more instances. When you launch an instance, you assign it one or more security groups. This security group is attached to the virtual networking interface of the EC2 instance.
You add rules to the security group that controls the traffic for the instance. You can modify the rules for a security group at any time, and the new rules are automatically applied to all instances to which the security group is assigned.
Your organization might have multiple AWS accounts. EC2 enables you to specify additional AWS accounts that can use your AMIs and EBS snapshots. All users in the AWS account that you have specified can use the AMI or snapshot. Each AMI has a LaunchPermission attribute that controls which AWS accounts can access the AMI. Each Amazon EBS snapshot has a createVolumePermission attribute that controls which AWS accounts can use the snapshot. IAM enables you to do the following:
- Create users and groups under your AWS account
- Assign unique security credentials to each user under your AWS account
- Control each user’s permissions to perform tasks using AWS resources
- Allow the users in another AWS account to share your AWS resources
- Create roles for your AWS account and define the resources or services that can assume them; notice that roles can easily permit one service (like EC2) to access another service (like S3)
- Use existing identities for your enterprise to grant permissions to perform tasks using AWS resources
By using IAM with EC2, you can control whether users in your organization can perform a task using specific EC2 API actions and whether they can use specific AWS resources.
We hope you enjoyed this post, and we will be back with more critical AWS concepts for your to master.