Published on

Harnessing AWS IAM and Terraform for Enhanced Cybersecurity

Authors

In the realm of cloud computing, securing your resources is of utmost importance. With cyber threats lurking around every corner, it's crucial to leverage efficient tools and best practices to safeguard your cloud infrastructure. In this blog, we'll dive into how AWS Identity and Access Management (IAM) and Terraform can be used to fortify your cybersecurity posture.

AWS IAM Users and Identity Policies: Your First Line of Defense

IAM users serve as individual sign-in entities for AWS, representing either a person or a service. By assigning identity policies to these users, you can define their permissions and control their access to resources, thereby reducing the attack surface.

Here's a Terraform script to create an IAM user and assign an identity policy:

resource "aws_iam_user" "supasaf_s3_user" {
  name = "supasaf_s3_user"
}

resource "aws_iam_user_policy" "supasaf_s3_policy" {
  name = "supasaf_s3_policy"
  user = aws_iam_user.supasaf_s3_user.name

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action   = ["s3:ListBucket"],
        Effect   = "Allow",
        Resource = ["arn:aws:s3:::supasaf-demo"]
      },
    ],
  })
}
supasaf_s3_new_user

Resource Policies: Keeping Your Assets Secure

Resource policies are permission policies that are attached directly to a resource. They are perfect for setting specific rules on who can access a resource and what actions they can perform, further enhancing your cloud security.

resource "aws_s3_bucket" "bucket" {
  bucket = "supasaf-bucket-1"
}

data "aws_iam_policy_document" "bucket_policy" {
  statement {
    sid = "AllowSpecificUserAccess"

    principals {
      type        = "AWS"
      identifiers = ["arn:aws:iam::392653644284:user/supasaf_s3_user"]
    }

    actions = [
      "s3:ListBucket",
      "s3:GetObject"
    ]

    resources = [
      "${aws_s3_bucket.bucket.arn}",
      "${aws_s3_bucket.bucket.arn}/*"
    ]
  }
}

resource "aws_s3_bucket_policy" "bucket_policy" {
  bucket = aws_s3_bucket.bucket.id
  policy = data.aws_iam_policy_document.bucket_policy.json
}

We should be able to see the bucket policy JSON document from S3's "Permissions" tab.

IAM Groups: Streamlining User Permissions

Groups in IAM are a way to manage permissions for a collection of users, which is more efficient than managing permissions for individual users. Groups help you maintain a consistent security posture and reduce the potential for human error.

resource "aws_iam_group" "supa_group" {
  name = "supa_group"
}

resource "aws_iam_group_policy" "supa_group_policy" {
  name  = "supa_group_policy"
  group = aws_iam_group.supa_group.id

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*",
        "s3:Put*",
        "s3:Delete*"
      ],
      "Resource": "arn:aws:s3:::supasaf-bucket-1/*"
    }
  ]
}
EOF
}

resource "aws_iam_group_membership" "supasaf_membership" {
  name = "supasaf_membership"

  users = [
    "supasaf_s3_user",
  ]

  group = aws_iam_group.supa_group.name
}

Since we've created bucket and user at previous step, we could see the newly created group:

IAM Roles: Temporary Access for Enhanced Security

IAM roles are another key component of AWS IAM. Unlike users, a role can be assumed by anyone who needs it, making it perfect for temporary access. This reduces the long-term risks associated with access credentials management.

resource "aws_iam_role" "supa_s3_role" {
  name = "supa_s3_role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Principal = {
          AWS = "arn:aws:iam::392653644284:user/supasaf_s3_user"
        },
        Effect = "Allow",
      },
    ],
  })
}

resource "aws_iam_role_policy" "supa_s3_role_policy" {
  name = "supa_s3_role_policy"
  role = aws_iam_role.supa_s3_role.id

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action   = ["s3:PutObject"],
        Effect   = "Allow",
        Resource = ["arn:aws:s3:::supasaf-bucket-1/*"]
      },
    ],
  })
}

We could search the role we just create from IAM console:

iam_new_role

In this script, an IAM role named supa_s3_role is created that the supasaf_s3_user can assume. The assume_role_policy parameter defines who can assume the role. The aws_iam_role_policy assigns a policy to the role that allows for putting objects into our supasaf-bucket-1.

By leveraging Terraform with AWS IAM, you can efficiently manage your cloud resources while improving your cybersecurity posture. IAM users, identity policies, resource policies, groups, and roles allow you to define granular permissions, thereby reducing the attack surface and potential impact of any security incidents.

Stay tuned for the next blog post in this series, where we will delve deeper into more complex cybersecurity scenarios involving Terraform and AWS IAM. Until then, stay secure and remember - your cloud security is only as strong as its weakest link!