Hacker News new | past | comments | ask | show | jobs | submit login
AWS IAM having issues yet again (amazon.com)
89 points by ManWith2Plans 28 days ago | hide | past | favorite | 16 comments

Maybe a stupid question, but isn't IAM related to almost any API access to AWS as it's used for authorization and authentication through a combination of identities and policies? Or does this outage only affect the meta level being access to IAM itself through its own API?

There are 3 basic ways in which you might see an IAM/Identity related issue:

1. Control plane problems - these will manifest as latency or errors when calling the IAM service itself to make updates/additions/deletions of users/roles/policies/groups/etc. This is the most likely scenario if the dashboard names "IAM" specifically as the issue.

2. Propagation problems - problems with propagation will manifest as delays in seeing your control plane (IAM) actions reflected in the dataplane. For example, if you remove a user, but the user is still able to authenticate to AWS services for a lengthy period of time.

3. Dataplane problems - this will be problems with authentication or authorization to any and all AWS services. A widespread problem with authentication is less likely, but extremely bad, and will probably not be categorized in the dashboard as a problem only with IAM, since "IAM" is technically the name of the control plane.

[Disclaimer: I'm speaking as an engineer personally, not for any company.]

My understanding is that authz/authn flows have not been affected. If authz/authn flows (which occur on every API call) were affected, I suspect the effect would be far more noticeable.

IAM is probably decentralized using trusted CA certificates to allow other AWS services to validate tokens previously created by IAM when it wasn't down. Yeah if you want new tokens you are just out of luck, but existing ones will keep working.

The last time this happened I saw errors changing IAM entities but not using them or getting STS tokens, which made sense if it was related to propagating changes.

This is what I experienced this time too. Still impacts development significantly if you use a tool like terraform.

Definitely – just changes it from “critical - the world is on fire” to “major”.

Does anyone know of good IAM learning resources? They (along with networking) are the biggest barriers I have from using AWS.

I work at AWS. I'm someone who helps enterprise customers troubleshoot IAM every day. I also teach new hires, external people, and provide continuing education for IAM.

The biggest thing is what do you want to learn and how complicate do you need things to be. These two reInvent videos are really good:

https://www.youtube.com/watch?v=YQsK4MtsELU https://www.youtube.com/watch?v=Zvz-qYYhvMk

They're a little old and might not talk about the newest and greatest things (like IAM Access Analyzer), but the basics of IAM are there and always stay the same.

If you give a better understanding of what you struggle with (basics, conditions, etc.), we could probably give better answers.

Here are some other reInvent videos I skimmed that look pretty good:

https://www.youtube.com/watch?v=XO4CALyzbVM https://www.youtube.com/watch?v=BFrWnKZ0DQ8

Cloud Academy has some good stuff about AWS. But most re:Invent sessions are on YouTube. You can learn a ton of stuff from re:Invent sessions.

Have your tried reading the AWS docs? As in actually spending some time to read the whole content? They have good descriptions, many guides, step-by-step instructions for simple examples, etc. You can go a long way with just those pages.

If you want something more hand-holding, A Cloud Guru courses are pretty good.

The training offered on aws.training may be a good place to start: https://www.aws.training/LearningLibrary?&search=iam&tab=vie...

What are you trying to figure out? I will say IAM seems daunting because it's used by every other service; you don't have to know what every property or policy is in order to effectively secure your resources.

AWS Identity is truly awful. It is not extensible and it lacks critical features. AWS has an opportunity to put companies like Okta out of business but their Identity team doesn't have the vision.

I think you're referring to the Cognito team. As far as I know, IAM has never had managing user identities outside AWS among its goals.

People rarely think about the true purpose and power of IAM and its equivalent services in other platforms. Its real function is to decouple teams from each other, which is what enables the platform to grow. IAM is the glue that federates services together. What developers see is a powerful, relatively low level RBAC/PBAC API for that, but through that API you can get a glimpse of just how agnostic IAM is to the information that it's managing - and how central it is to the rest of AWS. (Fun fact - you can actually use IAM to evaluate completely made up policies/principals/resources, because it's agnostic to what it's evaluating and the PDP API is available to everyone.)

Comparing this to Google or Azure, AWS IAM is architecturally superior - at least in terms of extensibility.

at their volume keeping the thing online is an accomplishment imo

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact