Identity and Access Management (IAM) is a powerful, flexible, and secure web service that helps you manage access to AWS resources. It allows you to control who can access what within your AWS environment securely and scalably.
With IAM, you can implement fine-grained access control, ensuring that only authenticated and authorized users or applications can perform actions on specific AWS resources.
π Core Concepts of IAM
1. Identities in IAM
Root User
- The root user is created automatically when an AWS account is created.
- Has complete unrestricted access to all AWS services and resources.
- Should be used only for specific tasks like:
- Changing account settings
- Creating the first IAM users
- Managing billing information
β οΈ Best Practice: Avoid using the root user for daily activities. Use IAM users instead.
IAM Users
- Represents a person or service interacting with AWS.
- Can have credentials such as:
- Passwords (for console)
- Access keys (for programmatic use)
- Permissions are assigned via policies.
IAM Groups
- A collection of IAM users.
- Permissions apply to all users in the group.
- Simplifies permission management for multiple users.
IAM Roles
- An identity with permissions policies.
- Not tied to a specific person.
- Used by:
- AWS services (e.g., Lambda, EC2)
- Federated users
- Cross-account access
π Temporary Credentials: When assuming a role, temporary credentials are issued.
2. Policies
What Are IAM Policies?
- JSON documents that define permissions.
- Specify who can do what on which resources under what conditions.
Types of Policies:
-
Managed Policies
- Standalone policies attached to users, groups, or roles.
- Can be AWS-managed or customer-managed.
-
Inline Policies
- Directly embedded in a single identity.
Policy Evaluation Logic:
- Explicit Deny > Explicit Allow > Default Deny
- All requests are denied by default unless explicitly allowed.
3. Authentication vs. Authorization
| Term | Description |
|---|---|
| Authentication | Verifying identity (e.g., username/password, SSO) |
| Authorization | Determining what actions are permitted based on policies |
4. Access Control Mechanisms
a. Password Policies
- Define password rules (length, complexity, expiration).
- Enforce multi-factor authentication (MFA).
b. Multi-Factor Authentication (MFA)
- Adds a second layer of security.
- Supported types:
- Virtual MFA apps
- Hardware tokens
- SMS-based (not recommended)
c. Access Keys
- Long-term credentials for CLI/SDK.
- Best practice: Rotate regularly and disable unused keys.
d. Temporary Security Credentials
- Issued by AWS STS.
- Used for:
- IAM roles
- Federation
- AssumeRole API
5. Service Integration
IAM integrates seamlessly with most AWS services:
- Amazon S3
- Amazon EC2
- AWS Lambda
- AWS CloudFormation
You can define resource-level permissions in many services using IAM policies.
6. Federation & Single Sign-On (SSO)
IAM supports identity federation through:
- SAML 2.0 (Active Directory, Okta)
- OpenID Connect (OIDC) (Google, Azure AD)
-
AWS IAM Identity Center:
- Centralized access across AWS accounts and business apps.
- Enables SSO using your existing identity provider.
7. Cross-Account Access
Use IAM roles to grant access from one AWS account to another.
Example:
- DevOps team in Account A can assume a role in Account B to deploy infrastructure.
8. Auditing & Monitoring
IAM integrates with several AWS services:
- AWS CloudTrail: Logs all IAM-related API calls.
- AWS Config: Tracks policy changes.
- IAM Access Analyzer: Identifies unintended resource access.
- AWS CloudWatch: Monitor IAM events.
9. Best Practices
| Area | Best Practice |
|---|---|
| Root User | Avoid; enable MFA |
| IAM Users | Create individual users, assign least privilege |
| IAM Roles | Use roles instead of long-term keys |
| MFA | Enable MFA for privileged users |
| Password Policy | Set strong requirements |
| Access Keys | Rotate regularly |
| Policies | Follow least privilege |
| Audit | Review logs and policies regularly |
| Service Accounts | Use IAM roles for EC2, Lambda, etc. |
| Temporary Credentials | Prefer STS-based ones |
10. Pricing
- IAM itself is free.
- Charges occur when you use other AWS services via IAM users or roles.
- IAM Access Analyzer has some charges for advanced analysis features.
11. High Availability & Consistency
- IAM is globally replicated for high availability.
- Data is eventually consistent.
- Changes may take time to propagate.
π‘ Recommendation: Avoid making IAM changes in critical application paths. Handle them during initialization and verify propagation before relying on them.
π Summary
| Feature | Description |
|---|---|
| Purpose | Secure access to AWS resources |
| Core Identities | Users, Groups, Roles |
| Policy Language | JSON-based |
| Authentication Methods | Console, keys, MFA, federated logins |
| Authorization Model | Policy-based |
| Integration | Works with almost all AWS services |
| Cost | Free (except IAM Access Analyzer) |
| Best Use Case | Least privilege, centralized access control, automation, cross-account access |
π Resources
- AWS IAM Documentation
- AWS IAM Console
- AWS IAM Policy Simulator
- AWS IAM Best Practices
- Introduction to IAM Video (from AWS Training and Certification)
π¬ Got questions? Drop them in the comments below!
Top comments (0)