Some of the most highly visible objects in identity and access management (IAM) are user accounts. Much of the discipline is centered on securing the credentials for those accounts, ensuring they have proper lifecycle management, and providing the governance to ensure that we can audit and document their proper use. And, of course, issues with accounts and passwords can also cause much user-experience friction in both enterprise and customer environments. All of those challenges are still with us in the cloud. In fact, it is arguable that the stakes for securely managing user accounts within cloud management backplanes are higher, as a loss of control there could have knock-on effects across dozens of apps and on critical enterprise infrastructure. With that in mind, let's take a look at Amazon Web Services (AWS) IAM user management.

In this chapter, we'll cover the following topics:

• What is an IAM user account?
• Managing and securing...

To get the most out of this chapter, you will need the following:

• An AWS account
• A workstation running the AWS command-line interface (CLI)
• A text editor or integrated development environment (IDE) to edit JavaScript Object Notation (JSON)/YAML Ain't Markup Language (YAML) files, such as Microsoft Visual Studio Code (VS Code)

In Chapter 1, An Introduction to IAM and AWS IAM Concepts, we introduced the foundational objects that AWS IAM uses to manage authentication and authorization to AWS resources under the context of AWS as an infrastructure-as-a-service (IaaS) platform. A principal—that is to say, a person or application that wants to access an AWS resource—will present itself using a known IAM object (such as an IAM user or a federated user) to AWS IAM. The principal validates their entitlement to assume that IAM object by confirming a shared secret, such as the IAM user object's password or access key ID and secret access key. By presenting the shared secret for the IAM user object, AWS IAM is able to authenticate the principal or determine who the principal is.

IAM user accounts are distinct user profiles managed by AWS IAM that distinguish and authenticate users within an AWS account. Using the AWS Management Console or the AWS CLI, we can perform...

IAM user accounts are the basic units of accountability when a principal authenticates itself directly through AWS IAM, thus ensuring that those accounts are hardened is foundational to the security of the entire AWS account. However, before we begin on general account management and security, we need to address some peculiarities and best practices of a unique account type.

Differences between root user account and IAM user accounts

We've heard that repetition is key to learning. In both Chapter 1, An Introduction to IAM and AWS IAM Concepts, and Chapter 2, An Introduction to the AWS CLI, we created IAM users using both the AWS Management Console and the AWS CLI. The IAM users that were created were no less capable of doing anything inside of the AWS account by dint of them being members of the Full Administrators group. However, this still was an example of an AWS IAM security best practice. The AWS root account should not be...

Many of the same principles that apply to securing the root account apply broadly to individual AWS IAM user accounts. That said, as these are managed objects, they are subject to additional configurable security policies. Additionally, as we can use a delegated account to administer other delegated accounts, we can also use the CLI for some of these tasks, while doing the same for the root account would be ill advised.

IAM user lifecycle management

We have referred to user accounts as the most basic unit of accountability for AWS-managed users. However, as the complexity of the organization increases, it's less likely that administrators would provision and administrate IAM user accounts for their user base. Large organizations with complex AWS account structures rely on identity federation for user authentication into AWS. This relies on temporary security credentials and assumed roles for access. We will dive more deeply into this...

We've focused primarily on AWS IAM-managed user accounts in this chapter. Recall the distinction between a user account—referring to the AWS IAM user object, which a principal uses to identify itself to access AWS resources—and a principal, which is an end user of the system in a general sense. We've discussed at length how principals may use an AWS IAM-managed user account to access AWS resources; however, that is not the only way principals may do so.

Many organizations manage their own enterprise identities and would prefer to maintain control over the accounts and credentials that employees use when accessing business applications. Similarly, service providers or relying parties benefit from not needing to maintain an account's credentials. As we saw in the Redbeard Identity (RBI) example in Chapter 1, An Introduction to IAM and AWS IAM Concepts, the RBI organization would provision an account into various software...

Now that you've made it through this chapter, you have a much better understanding of the best practices for administrating and securing AWS IAM-managed user accounts, including the root account. Additionally, you have learned why the root account merits extra consideration and why certain administrative functions are best left to managed IAM user objects. This chapter also increased your understanding of password, access key, and MFA device management within an AWS account, including how to perform those functions programmatically using the AWS CLI. Finally, you were introduced to what makes federated users different from AWS IAM users, in order to ensure you had a complete understanding of how principals use both to interact with AWS services.

Now that we have discussed managing our AWS IAM users and the various ways we can authenticate them, it is time to turn our attention to controlling what they can do within an AWS account afterward. This is access management...

1. What is a principal?
2. How does an IAM user account differ from a root account?
3. Why is not considered a best practice to use access keys with a root account?
4. What is MFA, and how does it improve account security?
5. What kind of multifactor authenticators can be used with any IAM user, including a root account, to access the Management Console?
6. Describe how federated users access AWS resources, and how that differs from AWS IAM users.