AWS IAM(Identity & Access Management)
Introductory to AWS IAM basics, roles, and responsibilities
Introduction
As we know AWS Cloud is booming everywhere around the world. Inside the cloud, AWS IAM is one of the features offered to all users at no additional charge. It is called Identity and Access Management, permission can be given only by authorized users and accessed. For accessing the resources, permission requests can’t be sent directly to AWS services meanwhile, it can be assumed by authorized entities, such as IAM users, applications, or AWS services like EC2.
It is a tool that allows businesses of all sized to generally manage the identities and access rights of all their employees.
Six elements of IAM workflow-
- Principal
- Authentication
- Request
- Authorization
- Actions
- Resources
Components of IAM
- Users: An IAM user is an identity with an associated credential and permissions attached to it. The advantage of having one-to-one user specifications is that you can individually assign permissions to each user.
- Groups: A collection of IAM users is an IAM group. You can use IAM groups to specify permissions for multiple users so that any permissions applied to the group are applied to the individual users in that group as well.
- Policies: An IAM policy sets permission and controls access to AWS resources. Policies are stored in AWS as JSON documents. Permissions specify who has access to the resources and what actions they can perform.
There are two types of policies: managed policies and inline policies.
- The managed policy is a default policy that you attach to multiple entities (users, groups, and roles) in your AWS account. Managed policies, whether they are AWS-managed or customer-managed, are stand-alone identity-based policies attached to multiple users and/or groups.
- Inline policies are policies that you create that are embedded directly into a single entity (user, group, or role).
Roles and Features
An IAM role is a set of permissions that define what actions are allowed and denied by an entity in the AWS console. It is similar to a user in that it can be accessed by any type of entity (an individual or AWS service). Role permissions are temporary credentials.
Some of the main features of IAM —
- Shared access to the AWS account. The main feature of IAM is that it allows you to create separate usernames and passwords for individual users or resources and delegate access.
- Granular permissions. Restrictions can be applied to requests. For example, you can allow the user to download information, but deny the user the ability to update information through the policies.
- Multifactor authentication (MFA). IAM supports MFA, in which users provide their username and password plus a one-time password from their phone — a randomly generated number used as an additional authentication factor.
- Identity Federation. If the user is already authenticated, such as through a Facebook or Google account, IAM can be made to trust that authentication method and then allow access based on it. This can also be used to allow users to maintain just one password for both on-premises and cloud environment work.
- Free to use. There is no additional charge for IAM security. There is no additional charge for creating additional users, groups, or policies.
- PCI DSS compliance. The Payment Card Industry Data Security Standard is an information security standard for organizations that handle branded credit cards from the major card schemes. IAM complies with this standard.
- Password policy. The IAM password policy allows you to reset a password or rotate passwords remotely. You can also set rules, such as how a user should pick a password or how many attempts a user may make to provide a password before being denied access.
Advantages of IAM:
- Using IAM policies, you grant access to specific AWS service APIs and resources.
- You also can define specific conditions in which access is granted, such as granting access to identities from a specific AWS organization or access through a specific AWS service.
References
