What is IAM? Identity and access management-AWS IAM
Akshat Pattiwar
Associate @PwC India || Salesforce Developer || 6x Salesforce Certified || Cloud Computing
In business IT, identity and access management (IAM) refers to the process of establishing and maintaining the roles and privileges of specific network entities (users and devices) in relation to a range of cloud and on-premises services. Customers, partners, and workers are examples of users, whereas computers, cellphones, routers, servers, controllers, and sensors are examples of devices.The main goal of IAM systems is to provide a single digital identity for each person or thing. Once a digital identity has been created, it must be maintained, updated, and tracked throughout the access lifespan of each user or device.
IAM systems give administrators the tools and technology they need to alter a user's position, track their actions, generate reports, and enforce regulations on a regular basis. These systems are intended to manage user access throughout a whole organisation while also ensuring compliance with company rules and regulatory requirements.
AWS Identity and Access Management?(IAM)
AWS IAM is a web service which secures the access of control to AWS resources.
The sign in identity is called root user of AWS account. This can be accessed using email and password.
Working of IAM
IAM's role in the organization’s security stack
IAM serves a variety of essential tasks throughout an organization's security "stack," but it isn't always recognised as such since these roles are dispersed across many organisations, such as development teams, IT infrastructure, operations management, the legal department, and so on
First and foremost, IAM methods are only the beginning of a secure network's management. They demand businesses to establish their access rules, detailing who has access to which data resources and apps, as well as the terms under which they have access.
Second, IAM must be integrated with all aspects of the company, including analytics, business intelligence, customer and partner portals, and marketing tools.
Next, IAM extends beyond user authentication to cover non-human things such as application keys, APIs, and secrets, as well as agents and containers.
Finally, IAM needs to be tied closely with adaptive authentication and MFA tools. Authentication used to be thought of as a binary go/no-go decision at the moment of login, such as signing into a VPN. That’s old-world thinking. Today’s IAM needs more granularity to prevent account takeovers and subtle phishing attacks.This increases trust and improves overall usability
AWS IAM — Key Features
Authentication:You may issue and activate authentication for resources, people, services, and apps within your AWS account using AWS IAM, which allows you establish and manage identities like users, groups, and roles.
Authorization:?Policies and Permissions are the two main components of access management or authorization in IAM.
Fine-grained permissions:Using IAM, you can configure and tune these permissions as per the needs of your users.
Shared access to AWS accounts:?Most businesses have several AWS accounts and occasionally need to delegate access across them. You can accomplish this using IAM without having to share your credentials.
AWS Organizations:AWS Organizations may be used to split accounts into groups and provide permission restrictions for fine-grained management over numerous AWS accounts.
Identity Federation:Organizations may frequently need to federate access from other identity providers like Okta, G Suite, or Active Directory. Identity Federation, a feature of IAM, allows you to achieve this.
领英推荐
Challenges and risks of implementing IAM
The interaction between IAM and single-sign on (SSO) must be properly managed.
IAM personnel must be familiar with a variety of cloud architectures.
Any new application should have identity management built in from the outset, according to IT managers.
Few key IAM terms
Access management:The methods and technology used to regulate and monitor network access are referred to as access management. Authentication, authorisation, trust, and security auditing are all aspects of the best ID management systems, which are available for both on-premises and cloud-based systems.
Biometric authentication:A user authentication security procedure that depends on the user's unique features. Fingerprint sensors, iris and retina scanning, and face recognition are examples of biometric authentication technology.
Credential:A user's password, public key infrastructure (PKI) certificate, or biometric information is used as an identification to obtain access to a network (fingerprint, iris scan).
Digital identity:The ID itself, which includes the user's description and access capabilities.
Identity as a Service (IDaaS):Cloud-based IDaaS provides identity and access management capabilities to an organization's on-premises and cloud-based systems.
Identity synchronization:The process of ensuring that data for a particular digital ID is consistent across different identity stores, such as those created as a consequence of an acquisition.
Multi-factor authentication (MFA):When more than one factor, such as a user name and password, is required for network or system authentication, MFA is used. At least one more step is necessary, such as obtaining a code through SMS, inserting a smart card or USB stick, or passing a biometric authentication test, such as a fingerprint scan.
Privileged account management:This term refers to managing and auditing accounts and data access based on the privileges of the user. In general terms, because of his or her job or function, a privileged user has been granted administrative access to systems. A privileged user, for example, would be able set up and delete user accounts and roles.?
Security principal:A digital identity that can be authenticated and permitted to interact with the network using one or more credentials.
User behavior analytics (UBA):UBA systems analyse user activity patterns and apply algorithms and analysis to discover significant anomalies that might signal security concerns. Other security methods, such as device tracking or security events, differ from UBA. UBA is sometimes referred to as UEBA when it is combined with entity behaviour analytics.
Active Directory (AD):For Windows domain networks, Microsoft created AD as a user-identity directory service. Despite being proprietary, Active Directory is included in the Windows Server operating system and therefore is extensively used.
Context-aware network access control: Situation-aware network access control is a policy-based approach of giving network resource access to users depending on their present context. A user attempting to login from an IP address that hasn't been whitelisted, for example, would be denied access.
De-provisioning:The removal of an identity from an ID repository and the termination of access privileges.
Entitlement:The set of attributes that define an authenticated security principal's access rights and privileges.
Identity lifecycle management:The phrase refers to the whole set of procedures and technology for preserving and upgrading digital identities, similar to access lifecycle management. Identity lifecycle management include identity synchronisation, provisioning, and de-provisioning, as well as the continuing management of user characteristics, credentials, and entitlements.
Lightweight Directory Access Protocol (LDAP):LDAP is an open standards-based protocol for maintaining and accessing distributed directory services like Microsoft's Active Directory.
Password reset:It's a feature of an ID management system that allows users to reset their own passwords, removing the burden from administrators and reducing support calls. The user frequently uses a browser to visit the reset programme. To authenticate the user's identity, the app asks for a secret word or a series of questions.
Risk-based authentication (RBA): Authentication criteria are dynamically adjusted based on the user's condition at the time authentication is attempted with risk-based authentication. When users seek to authenticate from a geographic area or IP address with which they have not previously been linked, they may be subjected to extra authentication procedures.
Single sign-on (SSO):A kind of access control for several systems that are linked but not identical. A user can access a system or systems with a single username and password rather than multiple credentials.