What Is AWS Identity and Access Management (IAM)?
Identity and Access Management (IAM) is an Amazon web service that provides secure control over how users and entities access AWS resources. AWS IAM lets you control user authentication and authorization (permissions) to use resources.
When creating your AWS account, you start with an identity with full access to all AWS resources and services. This identity, the root user for the AWS account, is accessible via sign-in with your email address and password (the same credentials used to create your account).
AWS recommends that you avoid using the root user identity for everyday tasks. You can create other identities with different access levels to handle tasks safely. You should protect the root user credentials, using them only when you need to perform critical administrative tasks.
When working with Kubernetes clusters in AWS, the primary way to implement Kubernetes RBAC is with Amazon IAM. I'll discuss how to to this in practice for Amazon EKS clusters.
Benefits of IAM
Organizations use IAM technology to initiate, acquire, record, and manage user identities and related permissions in an automated manner. IAM systems make it possible to grant permissions according to policies, ensuring all individuals and services are properly certified, approved and audited.
Companies that centrally manage identities better can better control user access, reducing the risk of internal and external data breaches. IAM can also help your businesses run more efficiently, by reducing the effort, time, and cost of manually managing network access.
An additional benefit is that IAM frameworks make it easy to consistently enforce policies across the organization for user authentication, validation, and permissions, and solves the problem of privilege escalation.
Lastly, IAM systems can simplify compliance, by proving to regulatory bodies and external auditors that corporate information has not been misused. Companies can also prove that the data they need for auditing is available on demand.
How RBAC Works in AWS
RBAC defines permissions based on individual job functions outside of AWS, known as roles. In AWS, roles are often referred to as IAM roles. IAM includes task management policies that match task responsibilities to permissions in the RBAC model.
IAM implements RBAC by creating different policies for different features. You can attach a policy to an identity (IAM user, user group, or IAM role). A best practice is to grant the least privilege required for the job, in accordance with the least privilege principle. To do this, list the specific resources the job can access. One downside to using the traditional RBAC model is that when an employee adds a new resource, you must update the policy to allow access to that resource.
Identity and Access Management for Amazon EKS
AWS Elastic Kubernetes Service (EKS) is a managed Amazon service that runs Kubernetes on AWS. It eliminates the need to install, maintain, and operate Kubernetes nodes or the control plane. Kubernetes is an open source platform for automatically deploying, scaling, and managing containerized applications.
IAM policies allow you to specify the allowed and denied resources and actions for each identity. They also set the conditions for allowing or denying an action. Amazon EKS supports certain resources, actions, and condition keys.
As an administrator, you can specify which principals (users, applications, etc.) can access specific resources using AWS JSON policies. A JSON policy determines the conditions under which a principal can perform specific actions.
A resource JSON policy specifies an object or group of objects to which the allowed action applies. The policy statements must contain a Resource element or a NotResource element. It is best practice to specify resources using the Amazon Resource Name (ARN), especially for resource-level permissions, where the actions support specific resource types.
An AWS JSON policy also includes an Action element that describes the specific actions allowed or denied in the policy. The actions in a policy typically have the same name as their associated AWS API operations, but there are exceptions. For example, permission-only actions do not have matching API operations.
Some operations also require dependent actions - additional actions in the JSON policy. Including actions in a policy grants permissions to perform specific operations.
Identity-Based EKS Policy
IAM roles and users do not have default permissions to create and modify EKS resources or perform tasks via the AWS API, management console, or CLI. IAM administrators must create policies to grant permissions for API operations on specific resources, attaching the policies to the groups or users.
When creating an EKS cluster, the cluster's RBAC configuration automatically grants the AWS IAM role or user system permissions. The IAM entity is not in a visible configuration, so it's important to track who created each cluster. You can grant access to additional AWS roles or users by editing the aws-auth ConfigMap in Kubernetes and creating a role binding with the group's name.
Identity-based EKS policies determine whether users can access, create, or delete resources, which incur costs for the AWS account. Consider the following when setting up these policies:
- Use AWS-managed policies - start with the managed policies available in your account and reduce permissions with customer-managed policies for specific use cases.
- Implement least privilege - grant only the access permissions needed to perform specific tasks and restrict redundant access to resources.
- Restrict access with IAM conditions - add conditions to policies to determine when principals can perform specified actions.
- Evaluate policies with IAM Access Analyzer - validate new or existing policies to ensure your policies follow best practices.
- Use multi-factor authentication (MFA) - require additional authentication measures to increase security.
In this article, I explained the basics of AWS IAM and it works in Amazon EKS:
- Resources - As an administrator, you can specify which principals can access specific resources using AWS JSON policies.
- Actions - An AWS JSON policy also includes an Action element that describes the specific actions allowed or denied in the policy.
- Identity-Based EKS Policy - Identity-based EKS policies determine whether users can access, create, or delete resources.
I hope this will be useful as you implement IAM and RBAC in Amazon EKS.