What is IAM in AWS?

In AWS (Amazon Web Services), IAM stands for Identity and Access Management. It's basically a service that helps you control who can do what within your AWS environment. With IAM, you can create and manage users, assign specific permissions to them, and control access to AWS resources like servers, databases, and storage. So, in simple terms, IAM helps you manage who has access to your stuff in the AWS cloud and what they're allowed to do with it.

What is IAM?

• IAM stands for Identity Access Management.
• IAM allows you to manage users and their level of access to the aws console.
• It is used to set users, permissions and roles. It allows you to grant access to the different parts of the aws platform.
• AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS.
• With IAM, Organizations can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.
• Without IAM, Organizations with multiple users must either create multiple user accounts, each with its own billing and subscriptions to AWS products or share an account with a single security credential. Without IAM, you also don't have control about the tasks that the users can do.
• IAM enables the organization to create multiple users, each with its own security credentials, controlled and billed to a single aws account. IAM allows the user to do only what they need to do as a part of the user's job.

Features of IAM

• Centralised control of your AWS account: You can control creation, rotation, and cancellation of each user's security credentials. You can also control what data in the aws system users can access and how they can access.
• Shared Access to your AWS account: Users can share the resources for the collaborative projects.
• Granular permissions: It is used to set a permission that user can use a particular service but not other services.
• Identity Federation: An Identity Federation means that we can use Facebook, Active Directory, LinkedIn, etc with IAM. Users can log in to the AWS Console with same username and password as we log in with the Active Directory, Facebook, etc.
• Multifactor Authentication: An AWS provides multifactor authentication as we need to enter the username, password, and security check code to log in to the AWS Management Console.
• Permissions based on Organizational groups: Users can be restricted to the AWS access based on their job duties, for example, admin, developer, etc.
• Networking controls: IAM also ensures that the users can access the AWS resources within the organization's corporate network.
• Provide temporary access for users/devices and services where necessary: If you are using a mobile app and storing the data in AWS account, you can do this only when you are using temporary access.
• Integrates with many different aws services: IAM is integrated with many different aws services.
• Supports PCI DSS Compliance: PCI DSS (Payment Card Industry Data Security Standard) is a compliance framework. If you are taking credit card information, then you need to pay for compliance with the framework.
• Eventually Consistent: IAM service is eventually consistent as it achieves high availability by replicating the data across multiple servers within the Amazon's data center around the world.
• Free to use: AWS IAM is a feature of AWS account which is offered at no additional charge. You will be charged only when you access other AWS services by using IAM user.

AWS Account Root User

• When you first create an AWS account, you create an account as a root user identity which is used to sign in to AWS.
• You can sign to the AWS Management Console by entering your email address and password. The combination of email address and password is known as root user credentials.
• When you sign in to AWS account as a root user, you have unrestricted access to all the resources in AWS account.
• The Root user can also access the billing information as well as can change the password also.

What is a Role?

• A role is a set of permissions that grant access to actions and resources in AWS. These permissions are attached to the role, not to an IAM User or a group.
• An IAM User can use a role in the same AWS account or a different account.
• An IAM User is similar to an IAM User; role is also an AWS identity with permission policies that determine what the identity can and cannot do in AWS.
• A role is not uniquely associated with a single person; it can be used by anyone who needs it.
• A role does not have long term security credential, i.e., password or security key. Instead, if the user uses a role, temporarily security credentials are created and provided to the user.
• You can use the roles to delegate access to users, applications or services that generally do not have access to your AWS resources.

Situations in which "IAM Roles" can be used:

• Sometimes you want to grant the users to access the AWS resources in your AWS account.
• Sometimes you want to grant the users to access the AWS resources in another AWS account.
• It also allows the mobile app to access the AWS resources, but not want to store the keys in the app.
• It can be used to grant access to the AWS resources which have identities outside of AWS.
• It can also be used to grant access to the AWS resources to the third party so that they can perform an audit on AWS resources.

IAM Roles Use Cases

There are two ways to use the roles:

• IAM Console: When IAM Users working in the IAM Console and want to use the role, then they access the permissions of the role temporarily. An IAM Users give up their original permissions and take the permissions of the role. When IAM User exits the role, their original permissions are restored.
• Programmatic Access: An AWS service such as Amazon EC2 instance can use role by requesting temporary security credentials using the programmatic requests to AWS.

An IAM Role can be used in the following ways:

• IAM User: IAM Roles are used to grant the permissions to your IAM Users to access AWS resources within your own or different account. An IAM User can use the permissions attached to the role using the IAM Console. A Role also prevents the accidental access to the sensitive AWS resources.
• Applications and Services: You can grant the access of permissions attached with a role to applications and services by calling the AssumeRole API function. The AssumeRole function returns a temporary security credentials associated with a role. An application and services can only take those actions which are permitted by the role. An application cannot exit the role in the way the IAM User in Console does, rather it stops using with the temporary credentials and resumes its original credentials.
• Federated Users: Federated Users can sign in using the temporary credentials provided by an identity provider. AWS provides an IDP (identity provider) and temporary credentials associated with the role to the user. The credentials grant the access of permissions to the user.

Creating IAM Roles

Creating IAM Roles for a service

1. Sign in to the AWS Management Console: Go to the AWS Management Console at https://aws.amazon.com/, and sign in with your AWS account credentials.
2. Access IAM Console: Once signed in, navigate to the IAM console. You can find this by searching for "IAM" in the AWS services search bar or by selecting "IAM" under the "Security, Identity, & Compliance" section.
3. Choose "Users": In the IAM console, select "Users" from the left-hand navigation pane.
4. Click "Add User": Click on the "Add user" button to start creating a new IAM user.
5. Enter User Details: Enter a user name for the new IAM user. You can also choose to give the user programmatic access (for using the AWS CLI, SDKs, etc.), AWS Management Console access (for logging in via the AWS console), or both.
6. Set Permissions: Choose how you want to set permissions for the user. You can either add the user to an existing IAM group with predefined permissions or attach policies directly to the user. Policies define what actions the user can perform on which AWS resources.
7. Review: Review the user details and permissions to ensure they are correct.
8. Create User: Click on the "Create user" button to create the IAM user.
9. Access Credentials: After the user is created, you will be provided with access credentials such as an access key ID and a secret access key if you selected programmatic access. Make sure to securely store these credentials as they are required for accessing AWS programmatically.