IAM is the Identity and Access Management service in AWS it is used to create users and assign them to groups. Whenever anyone needs access to an AWS service within out organisation then we only want them to access only some services on our account because they can change something because of malicious intent or a mistake. We want to give them as little access as possible to complete there job to reduce any mishaps but when we create an account on AWS that user by default has root access.
To combat this situation AWS has a service which allows us to create users and allow them only certain restrictions that service is IAM. In IAM for each user we create a new account and give them certain accesses and privileges. We can also create some groups which already contain access and privileges required to complete some tasks. After that we can add users to these certain groups.
Majorly IAM is divided into 4 concepts:-
- User groups
User groups are groups that are created to reuse access given to a certain user. Whenever we create groups we can attach certain access to a group. After that we can add users to a group. This helps in managing users to that all users that are in a group contain the same access. We can also add a user to multiple groups.
These are the users created by IAM for every person that use AWS there should be one user.
We should also avoid using the root account as from there we can delete our account and this can lead to a massive mishap even if unintended. For all admin purposes we should create a user account and provide admin privileges to that user.
Whenever an AWS service needs access to other services than we create a role an we can add access to other services buy using roles. I also allows application code running on an EC2 instance access perform actions on AWS resources.
I also allows to add users from other organisations.
Policies are the list of accesses provided to a user, user group or role in a JSON format AWS already contains many preexisting policies which are really helpful in providing access to AWS users.