Once you create your AWS account, the first thing you should do is to set up IAM. IAM(Identity and Access Management) helps you to control access to AWS services and resources for users. You can manage who is able to access to certain resource and who isn’t. This is important to ensure security. IAM is one of AWS global services, so you don’t need to specify region when you set up IAM.
1. IAM Identities
User is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials. Usually, a user is a physical person. There are some rules to follow. First, not to share same credential, it is important to create one IAM user per one physical person. Second, never share IAM credentials and never write IAM credentials in code, or there will be huge security issues. And finally, it is best to give users the minimal permissions.
To ensure higher level of security, you can use MFA(Multi-factor Authentication), which adds extra layer of protection. With MFA enabled, users should give an authentication code from their AWS MFA device as well as their user name and password when they sign in.
An IAM groups is a collection of IAM users. A group can be defined by functions(ex. admins, DevOps), or teams(ex. engineering, design). Users in same group share same access permission. Therefore it is much easier to manage permission by groups, rather than by users.
An IAM role is an IAM identity that you can create in your account that has specific permissions. IAM roles are a secure way to grant permissions to entities(ex. resources, users) you trust. There should be one IAM role per application.
2. IAM Policies
Policies, which are JSON documents define permission and are attached to each IAM identities or AWS resources. For example, only users with a policy which contains ‘Billing’ can access to billing dashboard and manage billing & cost.
3. IAM Hands-on
(1) Creating A User
You can create an user by clicking the blue 'Add user' button.
Give the user a name and select AWS access type.
You can either put the user in a group or create a user who is not belong to a group.
A tag is a key-value pair which helps you to identify and organize your AWS resources.