AWS IAM
● IAM stands for Identity and Access Management.
● AWS IAM may be a service that helps you control access to AWS resources securely.
● You use IAM to regulate who is allowed and have permissions to AWS Resources.
● You can manage and use resources in your AWS account without having to share your password or access key.
● It enables you to manage access to AWS services and resources securely.
● We can attach Policies to AWS users, groups, and roles.
Principal: An Entity that will make a call for action or operation on an AWS Resource. Users, Groups, Roles all are AWS Principal. AWS Account Root user is the first principal.
IAM User & Root User
● Root User - When you first create an AWS account, you begin with an email (Username) and Password with complete access to all AWS services and resources in the account. This is the AWS account, root user.
● IAM User - A user that you create in AWS.
o It represents the person or service who interacts with AWS.
o IAM users’ primary purpose is to give people the ability to sign in to AWS individually without sharing the password with others.
o Access permissions will be depending on the policies which are assigned to the IAM User.
IAM Group ● A group is a collection of IAM users.
● You can assign specific permission to a group and add the users to that group.
● For example, you could have a group called DB Admins and give that type of permission that Database administrators typically need.
IAM Role
● IAM Role is like a user with policies attached to it that decides what an identity can or cannot do.
● It will not have any credentials/Password attached to it.
● A Role can be assigned to a federated user who signed in from an external Identity Provider.
● IAM users can temporarily assume a role and get different permission for the task.
IAM Policies
● It decides what level of access an Identity or AWS Resource will possess.
● A Policy is an object associated with identity and defines their level of access to a certain resource.
● These policies are evaluated when an IAM principal (user or role) makes a request.
● Policies are JSON based documents.
● Permissions inside policies decide if the request is allowed or denied.
o Resource-Based Policies: These JSON based policy documents attached to a resource such as Amazon S3 Bucket.
o These policies grant permission to perform an action on that resource and define under what condition it will apply.
o These policies are the inline policies, not managed resource-based policies.
o IAM supports only one type of resource-based policy called trust policy, and this policy is attached to a role.
o Identity-Based Policies: These policies have complete control over the identity that it can perform on which resource and under which condition.
o Managed policies: Managed policies can attach to the multiple users, groups, and roles in the AWS Account.
▪ AWS managed policies: These policies are created and managed by AWS.
▪ Customer managed policies: These policies are created and managed by you. It provides more precise control than AWS Managed policies.
o Inline policies: Inline policies are the policies that can directly be attached to any individual user, group, or role. It maintains a one-to-one relationship between the policy and the identity.
IAM Security Best Practices: ● Grant least possible access rights.
● Enable multi-factor authentication (MFA).
● Monitor activity in your AWS account using CloudTrail.
● Use policy conditions for extra security.
● Create a strong password policy for your users.
● Remove unnecessary credentials.
Pricing:
● Amazon provides IAM Service at no additional charge.
● You will be charged for the services used by your account holders.