AWS Identity and Access Management policies gives users appropriate permissions to resources in their AWS cloud account. I believe AWS services needs the IAM policies for support. These policies helps to keep the AWS services secured. It either gives or denies permissions to resources within a users AWS account. This will ensure the right person gains access to that account at the right time too.
These identities include:
Users; This can be a person with a unique identity and has security credentials such as password or access & secret key. It can also be a service or applications that interacts with resources in AWS environment. Each type of user is given permission to manage use of AWS resources. These resources can only be assigned through permissions or policies.
Group; A set of IAM users that do same thing and share policies and permission together. Each time a permission is assigned to a group with the use of access control policies , all the users in that group are automatically entitled to it. For example, placing a user into an Administrator or developer group will automatically assign the user any permissions given to the Administrator group or developer group. It means users can be moved between different groups and automatically shift permissions as groups change.
Role; These can be used to assign access to AWS resources and AWS Users temporarily rather than sharing credentials. This can give various users ability to take up different permissions for different tasks. As a result of this, passwords are not necessary here. Anyone can just come up and take a role they need for that moment or that particular tasks which is not permanent.
Policies; This is a document that defines different levels of permissions which are attached to users, groups or roles, Each of this cannot use any resource except the policies associated with it in the document says it can.
How Does IAM Work?
This includes the following elements:
A principal is an entity that can perform actions on an AWS resource. A user, a role or an application can be a principal.
Authentication; Is used to confirm who you claim to be each time you try to access the AWs resources.
Authorization; Is an act of verifying if someone can actually access a resource they are requesting to access and then go ahead to authorize and sometimes authenticate the request for the user before it can be granted by AWS. There must be a supporting policies.
Types of IAM policies
Identity-based policies: These are policies that can be attached to either a user, a group or a role stating what they are allowed to do with any of the AWS resources.
Customer managed; These are policies that you as an AWS customer can create and use in your AWS account. These policies are more specific or customized according to your preferences.
Resource based; These are policies that are attached to a particular resource such as Amazon S3 buckets or a VPC endpoint.
Managed policies; These are policies that are independent that can be attached to multiple users groups or roles.
Inline policies; These policies deals with one-to-one relationships and directly inserted into either a user, group or role. This type not always needed, so it is not a great choice.