What is AWS IAM?
AWS IAM stands for Identity and Access Management Service. This is a web service that helps to control access to your AWS resources by your administer. It also lets you manage users and provide control to manage which users would have permission to access various AWS resources.
AWS IAM lets you [as root user] or your IT administer to control access of an user based on a role to various AWS services and type of actions they could perform. It also helps to manage access for federal users.
AWS lets you to access IAM via AWS Console, AWS Command Line Interface (CLI) and SDK’s.
When you think about to start a business in AWS, you must need an account to get started with it. By registering your email id while account creation, AWS creates an user called as root user which has full privilege to all the resources by default. Now when your business grows, you would need Developers, Testers and Administers for different work role into your business. So managing multiple people within an account would be challenging for you and you could not share your root user [Not recommended] credentials within all members in your project to access AWS services.
In corporate or private network password is often shared insecurely over phone or email and there are chances where the password for admin user could share with one to many members within the team. So IAM comes into this picture to manage user and their access within AWS.
Components of IAM
IAM lets you to securely manages access to AWS resources. You may need to understand some basic components of IAM such as users, groups, policies, roles etc to better manage access to services.
Users – An IAM user represents an actual AWS customer or a person or an application that are used to authenticate individual user identities. Each IAM user could be associated with one AWS account only. AWS does not allow to have access to any services for a newly created user by default.
Groups – IAM groups are collection of users which allow to manage access for multiple users at once so that any permissions are applied to the groups would be applied across all the users that are part of the group. This minimize the administrative activity for managing users.
Policies – An IAM policy is used to set permission and control access to AWS services. Policies are written in JSON documents and are stored in JSON documents. A policy is written with eet of permissions which specify who has access to the resources and what action they could perform. There are two types of policies inline policies and managed policies.
- Inline Policies – This is the inherit part of the principal entity (User, group, role). AWS allows you to create a policy and embedded in a principal entity.
- Managed Policies – Its a default policy and could be attached to multiple entities (users, groups and roles).
Roles – An IAM role is created with specific permissions in AWS. It determines what an identity could do or couldn’t do with the set of permission policies. A role does not have any credentials such as passwords or keys associated with it. Instead , it uses a temporary credentials to allow an user to interact with the services in AWS. They are not permanent users, rather users with temporary access to your AWS accost.
Features of IAM
Shared Access – This helps to grant required access to an user to access the resources without sharing any passwords or keys.
Granular Permissions – This lets you grant different access to different users for different resources. You could grant privilege as per user role.
Multi-factor authentication (MFA) – Its a two layer authentication to login to your AWS account for better security. You need to specify an authentication code along with your usual login information for a login authentication.
Identify Federation – This allow an user from corporate network or with an internet identity provider for temporarily access to your AWS account.
PCI DSS Compliance – AWS IAM supports processing, storage and transmission of credit card data by a merchant or service provider and has been validated and complaint with Payment Card Industry (PSI) Data Security Standard (DSS).
Eventually Consistent – IAM achieves high availability as like other services by replicating data across different Availability Zone within regions.
Audit – With AWS CloudTrail, a full users activity log is stored for security audits.
AWS does not incur any charges for using IAM service. However it charges per hour based on the services that users used in your account.
Please comment below for any questions related to this blog.