An overview of AWS Identity and Access Management (IAM)

Identity and Access Management (IAM) is one of the essential services in Amazon Web Services (AWS) and also can be complicated for newcomers to AWS.

In this article, I will try to explore the Identity and Access Management concepts in AWS.

What is IAM?

IAM allows you to manage “who and what can do with your resources”.

IAM is the Identity and Access Management service, and it's a way that we can authenticate and be authorized to access services on AWS.

This is from a security perspective called zero trust, and that's what AWS operates:

• Authentication – validates a user's identity.
• Authorization – grants the user permission to access a resource.

What are the capabilities of IAM?

1. IAM User Sign-in Credentials

One of the best practices is to create separate users for employees in your organization and grant them the least privilege required for the job. Additionally, you can create groups with specific permissions and add users to them. Users in AWS can sign in using the console or CLI. IAM creates a User ID and password if the users will sign in through the console and creates Access Key and Secret Access Key for the CLI which is called programmatic access.

2. IAM User Access Management

Users don't have any permissions by default. So you can provide access to the users in different ways.

• Identity-based policy – to attach policy to the user.
• Resource-based policy – to attach policy to the resource to define who's allowed to the resource and what actions they can do.

3. IAM roles

An IAM role doesn't have long-term credentials such as passwords or access keys like IAM users. IAM roles use Amazon Security Token Service (STS) temporarily credentials that have an expiry time. IAM role can be assumed by anyone (user – AWS service – EC2 – Federation).

In conclusion, there are four main components of IAM:

• Users?– A user can be a person or an application that needs to interact with AWS resources.
• User Groups?– When you have multiple users can have similar permissions to resources.
• Policies?– Policies are statements or the rules that define what access is granted or denied to a specific user or a group.
• Roles?– ?A role is not directly linked to a person or a service, rather it can be assumed by any resource that the role grants permission to. Role credentials are always temporary and rotated periodically by the AWS Session Token Service (STS).

I hope this was a useful overview of the major topics you will encounter when using it.

#aws #awswhitepapers