2

Amazon Web Service's IAM service allows administrators to create user accounts with different permissions, groups etc.

When an administrator creates a new user, he has the option of specifying whether this user will be limited to either programmatic access (ie only access AWS through api calls) or web console access (ie can log into the web GUI).

Why did AWS invest the time and money into doing this?

Why would someone want to limit a user to one or the other? The web console can do anything programmatic access can and vice versa. Allowing only one or the other doesn't seem to offer any security advantages. So why bother ?

CodyBugstein
  • 21,984
  • 61
  • 207
  • 363

3 Answers3

5

The console credentials and the IAM user keys are two independent sets of credentials (for the same principal). It's not that AWS went to the trouble of disconnecting two things that are inherently connected.

For the most part, your assertion is correct -- there are some exceptions that are not all that relevant, but as a rule, anything you can do programmatically can be done in the console and vice versa, so it can't be simply motivated by any appeal of restricting the user by one or the other for the purpose of controlling access to the underlying resources.

Some users do not need programmatic access. These users are likely to be non-technical (or perhaps non-developer) users who have a legitimate business purpose for console access, but do not need keys.

Some users do not need a console account. These users are likely to be non-human users that require API keys but that are not so situated that they can use IAM role credentials.

Not provisioning the mechanism of access that a user does not require is quite consistent with the principle of least privilege.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
0

I had this question once and as you keep working with AWS it gets clearer to you. Let me try to Explain from what I Know or understand:

Why would someone want to limit a user to one or the other?

The short Answer to this would be Isolation and more granular control , let me try to answer this by scenario:

  • You have an accounts team whose job is to pay bills , you will create an IAM Role with console access for them so that they can pay bills , it might be possible that they are not IT Professional what and why would you complicate things with Accounts team with giving them CLI Access, what is the need for this ?

Vice Versa

  • If you given one module to offshore team for development and you have created a RedShift Cluster with appropriate IAM Permission , you only want them to know what is necessary, why give access to console so they can see what is going on account ?

The Point I am trying to make is that each of them has it own advantages depending on situation which you will face as you work more deeply with AWS.

Kush Vyas
  • 5,813
  • 2
  • 26
  • 36
-2

I think you're misinformed. You can actually create an IAM user wither both Console and programmatic access. while creating a user, It gives two check boxes for Access type on the first page: Programmatic access and AWS Management Console access. You can chose both of them simultaneously or either one. in case of both, it'll provide you the following in the end:

  • Access key ID and secret access key: for Programmatic access
  • Password: for Console access (you can also set this mannually)
Manish Batra
  • 102
  • 6
  • I acknowledge that. But the question still remains: why allow for only one to be chosen? – CodyBugstein Mar 05 '18 at 07:38
  • As I mentioned in the answer itself, You can choose both of them simultaneously. – Manish Batra Mar 05 '18 at 07:39
  • Yes but why even have an option to only select one or the other? Why would someone want just programmatic access but not web console access? – CodyBugstein Mar 05 '18 at 07:51
  • @CodyBugstein It's common to have users that only need programmatic access, like service accounts that are used outside of AWS, these users don't need access to AWS Console, just to AWS APIs. – Erico Feb 12 '19 at 11:29