by What is IAM?
AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
- Manage users and their level of access to the AWS console.
- Set users, permissions and roles.
- Create multiple users, each with its own security credentials, controlled and billed to a single AWS account.
- Create and manage policies to grant access to AWS services and resources.
- Assign and control security credentials to each user.
- Create roles for your AWS account
- Create and manage IAM groups.
Features of IAM
- Centralised control of your AWS account: You can control creation, rotation, and cancellation of each user’s security credentials. You can also control what data in the aws system users can access and how they can access.
- Enhanced security: IAM enables security best practices by allowing you to grant unique security credentials to users and groups to specify which AWS service APIs and resources they can access.
- Shared Access to your AWS account: Users can share the resources for the collaborative projects.
- Granular permissions: It is used to set a permission that user can use a particular service but not other services.
- Multifactor Authentication: An AWS provides multifactor authentication as we need to enter the username, password, and security check code to log in to the AWS Management Console.
- Provide temporary access for users/devices and services where necessary: If you are using a mobile app and storing the data in AWS account, you can do this only when you are using temporary access.
- Integrates with many different aws services: IAM is integrated with many different aws services.
- Eventually Consistent: IAM service is eventually consistent as it achieves high availability by replicating the data across multiple servers within the Amazon’s data center around the world.
- Free to use: AWS IAM is a feature of AWS account which is offered at no additional charge. You will be charged only when you access other AWS services by using IAM user.
What are IAM users?
- An IAM user is an entity that you create in AWS.
- The IAM user represents the person or service who uses the IAM user to interact with AWS.
- A primary use for IAM users is to give people the ability to sign in to the AWS Management Console for interactive tasks and to make programmatic requests to AWS services using the API or CLI.
- A user in AWS consists of a name, a password to sign into the AWS Management Console, and up to two access keys that can be used with the API or CLI.
- When you create an IAM user, you grant it permissions by making it a member of a group that has appropriate permission policies attached or by directly attaching policies to the user.
What are IAM Groups?
- An IAM group is a collection of IAM users.
- Add users to or remove them from a group.
- A user can belong to multiple groups.
- Groups cannot belong to other groups.
- You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.
- For example, you could have a group called Admins and give that group the types of permissions that administrators typically need.
- Any user in that group automatically has the permissions that are assigned to the group.
What are IAM Roles?
- An IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS. However, a role does not have any credentials (password or access keys) associated with it.
- Instead of being uniquely associated with one person, a role can be taken by anyone who needs it. An IAM user can assume a role to temporarily take on different permissions for a specific task.
What problems do IAM roles solve?
How many IAM roles can be created?
- Through IAM roles, you can delegate access with defined permissions to trusted entities without sharing long-term access keys.
- You can use IAM roles to delegate access to IAM users managed within your account, to IAM users under a different AWS account, or to an AWS service such as EC2.
Users can create up to 1,000 IAM roles under one AWS account. For further roles, need to contact Amazon support team through the Limit increase form.
IAM Users, Groups and Role at a glance
IAM User
IAM Group
IAM Role
An IAM user has permanent long-term credentials and is used to directly interact with AWS services.
An IAM group is primarily a management convenience to manage the same set of permissions for a set of IAM users.
- An IAM role is an AWS Identity and Access Management entity with permissions to make AWS service requests.
- IAM roles cannot make direct requests to AWS services; they are meant to be assumed by authorized entities, such as IAM users, applications, or AWS services such as EC2.
Policies and Permissions
- A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.
- You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A
- AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.
Six Policy Types
- IAM policies define permissions for an action regardless of the method that you use to perform the operation.
- For example, if a policy allows the GetUser action, then a user with that policy can get user information from the AWS Management Console, the AWS CLI, or the AWS API.
- When you create an IAM user, you can choose to allow console or programmatic access.
- If console access is allowed, the IAM user can sign in to the console using a user name and password.
- Or if programmatic access is allowed, the user can use access keys to work with the CLI or API.
Identity-based policies
Resource-based policies
Permissions boundaries
Attach managed and inline policies to IAM identities (users, groups to which users belong, or roles). Identity-based policies grant permissions to an identity.
- Attach inline policies to resources.
- The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies.
- Resource-based policies grant permissions to the principal that is specified in the policy.
- Principals can be in the same account as the resource or in other accounts.
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Organizations SCPs
Access control lists (ACLs)
Session policies
- Use an AWS Organizations service control policy (SCP) to define the maximum permissions for account members of an organization or organizational unit (OU).
- SCPs limit permissions that identity-based policies or resource-based policies grant to entities (users or roles) within the account, but do not grant permissions.
- Use ACLs to control which principals in other accounts can access the resource to which the ACL is attached.
- ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.
- ACLs are cross-account permissions policies that grant permissions to the specified principal.
- ACLs cannot grant permissions to entities within the same account.
- Pass advanced session policies when you use the AWS CLI or AWS API to assume a role or a federated user.
- Session policies limit the permissions that the role or user’s identity-based policies grant to the session.
- Session policies limit permissions for a created session, but do not grant permissions.
More on Policy and Permission
What is a policy summary?
How do permissions work?
How do I assign permissions using a policy?
What does a policy look like?
- If you are using the IAM console and choose a policy, you will see a policy summary.
- A policy summary lists the access level, resources, and conditions for each service defined in a policy (see the following screenshot for an example).
- The access level (View, Read, Write, or Permissions management) is defined by actions granted for each service in the policy.
- You can view the policy in JSON by choosing the JSON button.
- Access control policies are attached to users, groups, and roles to assign permissions to AWS resources.
- By default, IAM users, groups, and roles have no permissions; users with sufficient permissions must use a policy to grant the desired permissions.
- To set permissions, you can create and attach policies using the AWS Management Console, the IAM API, or the AWS CLI.
- Users who have been granted the necessary permissions can create policies and assign them to IAM users, groups, and roles.
The following policy grants access to add, update, and delete objects from a specific folder, example_folder, in a specific bucket, example_bucket.
{
“Version”:”2012-10-17″,
“Statement”:[
{
“Effect”:”Allow”,
“Action”:[
“s3:PutObject”,
“s3:GetObject”,
“s3:GetObjectVersion”,
“s3:DeleteObject”,
“s3:DeleteObjectVersion”
],
“Resource”:”arn:aws:s3:::example_bucket/example_folder/*”
}
]
}
