Introduction to AWS Identity and Access Management IAM
What is IAM?
IAM is a web service that enables you to manage access to your AWS account and resources. It also provides a centralized view of who and what are allowed inside your AWS account (authentication), and who and what have permissions to use and work with your AWS resources (authorization).
With IAM, you can share access to an AWS account and resources without having to share your set of access keys or password.
What Is an IAM User?
An IAM user represents a person or service that interacts with AWS. You define the user within your AWS account. And any activity done by that user is billed to your account. Once you create a user, that user can sign in to gain access to the AWS resources inside your account.
IAM User Credentials
An IAM user consists of a name and a set of credentials. When creating a user, you can choose to provide the user:
- Access to the AWS Management Console.
- Programmatic access to the AWS Command Line Interface (AWS CLI) and AWS Application Programming Interface (AWS API).
What Is an IAM Group?
An IAM group is a collection of users. All users in the group inherit the permissions assigned to the group. This makes it easy to give permissions to multiple users at once. Itβs a more convenient and scalable way of managing permissions for users in your AWS account. This is why using IAM groups is a best practice.
What Is an IAM Policy?
To manage access and provide permissions to AWS services and resources, you create IAM policies and attach them to IAM users, groups, and roles. Whenever a user or role makes a request, AWS evaluates the policies associated with them. For example, if you have a developer inside the developers group who makes a request to an AWS service, AWS evaluates any policies attached to the developers group and any policies attached to the developer user to determine if the request should be allowed or denied.
Role Based Access in AWS
The root user is an all-powerful and all-knowing identity within your AWS account. If a malicious user were to gain control of root-user credentials, they would be able to access every resource within your account, including personal and billing information. To lock down the root user:
- Donβt share the credentials associated with the root user.
- Consider deleting the root user access keys.
- Enable MFA on the root account.
Authentication
Authorization
User Management
Central User Repository
IAM Best Practices
- Visit https://aws.amazon.com/console/
- Choose Sign In to the Console.
- Choose Root user. Enter the Root user email address.
- Choose Next.
- Enter the Password for the root user. Choose Sign in.
- Enable Multi-factor authentication (MFA).
- Create an UserGroup
- Add users
- Associate permissions policies
IAM Best Practices
- Visit https://aws.amazon.com/console/
- Choose Sign In to the Console.
- Choose Root user. Enter the Root user email address.
- Choose Next.
- Enter the Password for the root user. Choose Sign in.
- Enable Multi-factor authentication (MFA).
- Create an IAM User
- Add user
- Set up an IAM role for EC2 instance
- Create role
- Choose AWS Service > EC2
- Filter policies > AmazonS3FullAccess, AmazonDynamoDBFullAccess.
- Role name: S3DynamoDBFullAccessRole and create role.
Top comments (0)