With AWS Identity and Access Management (IAM), you are empowered to manage secure access to your AWS resources with users, groups, and permissions.
You can think about identity and access management as: WHO (workforce users and workloads) CAN ACCESS (permissions with IAM policies) WHAT (resources within your AWS organization).
It is free to use, and helps you manage user access to your computing, storage, data base, and application services. IAM access and permissions are global; the access you set for a user or group will be true for all regions.
Principle to follow when granting access via IAM is the Principle of Least Privilege.
IAM Components
- Root Access: E-mail address used to set up the AWS account
- Always has full administrator access
- Create user for each individual; don’t allow sharing of user accounts
- Secure root account using MFA
- Group: Place to store users
- Users inherit all group permissions
- Set permissions by applying policies using JSON key-value pairs
- Roles: Secure way to grant permissions to entities (users, groups) you trust
- Keys valid for short durations
- Apply roles to EC2 instances
- Roles are much easier and more secure to manage than Access Key ID’s and Secret Access Keys
- Can be:
- IAM from another account
- Apps running code on EC2 performing action on other resources
- AWS service that needs to act on other resources
- Users from corporate directory using Identity Federation
Benefits
- Enhanced Security: grant unique security credentials to resources
- IAM is secure by default: users have no access to resources until permissions are explicitly granted
- Granular Control: use permissions to provide granular control to AWS services and resources
- Temporary Credentials: create roles to define set of permissions and allow authenticated users or EC2 instances assume them, providing temporary access to defined resources
- Flexible Security Credential Management: authenticate users in several ways, including MFA, key pairs, passwords, and X.509 certificates
- Leverage External Identity Systems: use federated access to allow access using corporate systems and external Web Identity Providers like AD and Facebook
- Seamlessly Integration with AWS Services: define access controls from IAM control panel to reflect throughout the AWS infrastructure
Functionality
With IAM, you can manage…
- Users and their access
- Roles and their permissions
- Federated users and their permissions
3 Ways to Access AWS
- AWS Console
- Programmatically (Command Line)
- Software Developer Kit (SDK)
3 thoughts on “AWS IAM: Identity Access Management”