• About Us
  • Contact Us

Exclusive Identifiers within AWS IAM: Recognizing Users, Groups, and Roles

AWS IAM is a vital help that permits us to control admittance to AWS assets and resources. It enables users to create and manage various identities i.e., IAM users, groups, roles, and policies. One can enforce the principle of least privilege, ensuring that users and multiple services have only the necessary permissions to perform their actions.

Unique Identifiers

Though you can use friendly names and paths while creating roles, user groups or policy and get Amazon Resource Names (ARNs) to whitelist specific IAM identities, there are also unique identifiers that AWS IAM provides with the identities.

When AWS IAM creates a user, user group, role, policy, instance profile, or server certificate for you, it assigns a unique ID to each resource. Here is an example how a unique ID looks like:

AKIAJQABLZS4A3QDU576Q

Mostly, you use friendly names or ARNs when you grant access within your AWS ecosystem. However, the unique ID can sometimes be helpful when it is not practical to use friendly names.

Examples and Use Cases

AWS S3 bucket’s folder Access

Consider a scenario where you use friendly names within your AWS account for various IAM entities like users, user groups, roles, and policies. It’s important to note that these friendly names must be unique within your AWS account. For instance, you might have an IAM user named Julia who belongs to a user group called User-S3-Access. This group grants access to specific folders within an Amazon S3 bucket, allowing users to access their respective folders.

Now, imagine that the employee named Julia leaves your company, and you delete the IAM user named Julia. Later on, another employee with the same name, Julia, joins your organization, and you create a new IAM user with the same name. If the policy associated with the user group specifies the friendly IAM username ‘Julia,’ it would inadvertently grant access to the new Julia to access the former Julia’s data (S3 bucket folder).

To mitigate such situations, using Amazon Resource Names (ARNs) in your policies is generally recommended instead of relying solely on friendly names. However, it’s worth noting that every IAM user has a unique ID, even if you create a new IAM user with a friendly name that was previously deleted. In the example mentioned, the old IAM user Julia and the new IAM user Julia would have distinct unique IDs. By creating resource-based policies that grant access based on unique IDs rather than usernames, you can significantly reduce the risk of unintentionally providing access to data that an employee should not have.

Unique IDs in databases

Unique IDs serve another valuable purpose in scenarios where you manage your own database or storage system for IAM user or role data. The unique ID is an exclusive identifier for each created IAM user or role. This becomes particularly important when dealing with IAM users or roles that share the same name. If there are two users with the same name, then they can be identified in the database using their unique IDs.

Gaining Insight into Unique ID Prefixes

AWS IAM uses the following prefixes to determine what kind of resource each unique ID applies to:

PrefixResource Type
ABIAAWS STS service bearer token
ACCAContext-specific credential
AGPAUser group
AIDAAWS IAM user
AIPAAWS EC2 instance profile
AKIAAccess key
ANPAManaged policy
ANVAVersion in a managed policy
APKAPublic key
AROARole
ASCACertificate
ASIATemporary AWS STS access key IDs use this prefix

How to use in Policies

You can use the following as an example of using unique identifiers in the Principal section of the resource based IAM policy:

"Principal": {
  "AWS": [
    "arn:aws:iam::ACCOUNT_NUMBER:role/ROLE_NAME",
    "AIDACKCEVSQ6C2EXAMPLE",
    "AROADBQP57FF2AEXAMPLE"
  }

You can use the following as an example of using unique identifiers in the Condition section of a policy using condition:

"Condition": {
    "StringLike": {
      "aws:userId": [
        "AIDACKCEVSQ6C2TEST",
        "AROAXDQP57FF2ATEST:ROLE_SESSION_NAME",
        "AROA5465567890TEST:*",
        "ACCOUNT_NUMBER"
      ]
    }
  }

Retrieve Unique Identifiers

AWS IAM unique identifiers are not available in the AWS IAM console. You need to use the AWS CLI command or IAM API calls to get them. You can use the following AWS CLI references:

  • To get details about the current IAM identity:
aws sts get-caller-identity

Output:
{
    "UserId": "AIDATESTUSERID",
    "Account": "ACCOUNT_NUMBER",
    "Arn": "arn:aws:iam::ACCOUNT_NUMBER:user/Julia"
}
  • To get an IAM group:
aws iam get-group --group-name Administrators

Output:
{
    "Group": {
        "Path": "/",
        "CreateDate": "2023-09-01T21:14:07Z",
        "GroupId": "AGPAPMS9RO4H3FTEST",
        "Arn": "arn:aws:iam::ACCOUNT_NUMBER:group/Administrators",
        "GroupName": "Administrators"
    },
        "Users": []
}
  • To get an IAM role:
aws iam get-role --role-name SAMPLEROLE

Output:
    "Role": {
        "Description": "TEST ROLE",
        "AssumeRolePolicyDocument":"<URL-encoded-JSON>",
        "MaxSessionDuration": 3600,
        "RoleId": "AROA987654321TEST",
        "CreateDate": "2023-09-03T22:13:03Z",
        "RoleName": "SAMPLEROLE",
        "Path": "/",
        "RoleLastUsed": {
            "Region": "us-west-1",
            "LastUsedDate": "2023-09-04T16:45:56Z"
        },
        "Arn": "arn:aws:iam::ACCOUNT_NUMBER:role/SAMPLEROLE"
    }
}
  • To get an IAM user:
aws iam get-user --user-name Julia

Output:
{
    "User": {
        "UserName": "Julia",
        "Path": "/",
        "CreateDate": "2023-09-03T22:13:03Z",
        "UserId": "AIDA1987654321TEST",
        "Arn": "arn:aws:iam::ACCOUNT_NUMBER:user/Julia"
    }
}
  • To get an IAM policy:
aws iam get-policy --policy-arn arn:aws:iam::ACCOUNT_NUMBER:policy/TESTPOLICY

Output:
{
    "Policy": {
        "PolicyName": "TESTPOLICY",
        "CreateDate": "2023-09-03T22:13:03Z",
        "AttachmentCount": 1,
        "IsAttachable": true,
        "PolicyId": "ANPAI6FQMGNQ2TEST1",
        "DefaultVersionId": "v1",
        "Path": "/",
        "Arn": "arn:aws:iam::ACCOUNT_NUMBER:policy/TESTPOLICY",
        "UpdateDate": "2023-09-04T19:23:32Z"
    }
}

You can also use IAM API calls such as https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetGroup.html

Conclusion

AWS IAM unique identifiers play a crucial role in maintaining the integrity and security of your AWS ecosystem. These identifiers, assigned to IAM users, groups, roles, and policies, ensure that every entity within your AWS account has a distinct and immutable reference.

By understanding the significance of unique identifiers, you can effectively manage and control access to your AWS resources. Whether it’s maintaining consistency in user and group names or mitigating the risks associated with reusing friendly names, unique IDs provide the foundation for secure identity and access management.

As best practices, it is advisable to rely on these unique identifiers, especially when creating resource-based policies, to minimize the potential for unintended access. With IAM unique identifiers as a cornerstone of your AWS security strategy, you can confidently navigate the complex landscape of identity and access management, ensuring that your AWS resources remain protected and accessible only to those with the right and needful permissions.