What is IAM ?
AWS Identity and access management (IAM) was introduced to AWS accounts in September 1 2020. IAM provides controlled access to AWS resources for IAM users, groups of users and roles to AWS services.
IAM is a free service provided by AWS and it can be created from the IAM console.
How would you use IAM?
IAM provides permission access using the principle of 'least privilege'via IAM Access Analyzer to allow users to have access to only the required AWS services to perform their job role in an organization or function.
IAM policies is used to grant access to AWS services to specify what type of access may be granted in the action table which include the following access levels:
- Read
- Write
- List
- Permission Management
Reference Architecture
The AWS reference architecture diagram below provides an overview of AWS Identity and Access Management for an IAM user which grants access to AWS services with policy permissions that specify 'Allow'.
For example, under Identity and Access Management (IAM) and the navigation pane Policies, the level of access provided under the AdministratorAccess policy is full access for all AWS services.
The AWS reference architecture diagram below provides an overview of AWS Identity and Access Management with AWS Single Sign-On (SSO):
For example, a startup can use AWS Single Sign-On (SSO) via identity access provider Okta to grant permission via AWS Organization for a group of users (i.e. 3 data analysts). The permissions of the data analysts can be managed for AWS applications such as such as Amazon S3, Amazon Glue DataBrew, Amazon QuickSight and Amazon Redshift. These group of users will have single click access to their AWS account.
Important: AWS Root User account - use sparingly
It is best practice not to use your AWS Root User account for a task that is not required but you may use this account to create administrator access.
The alternative is to create admin access for each new user who have the same level of permissions under an administrator group.
You may need to create admin user access using AWS management console or with programmatic access if you which to test and build production workloads for tasks which may include the following:
- Databases
- Data warehousing
- ETL
- Machine learning
- AI
Tutorial: How to create your first IAM user and user group
Step 1: Login to the AWS management console using your AWS Root credentials
https://aws.amazon.com/console/
Step 2: Navigate to your AWS Account details and select Account.
Scroll down to 'IAM User and Role Access to Billing Information' and click edit.
Check the box 'IAM access' and click Update.
Step 4: Navigate to AWS Services and search for IAM to access the IAM console.
Step 5: From the IAM console select Users on the left-handside and click Add Users
Step 6: Under User name type 'Administrator'
Check the box: Password - AWS Management Console access
In Console password, create a custom password
Uncheck the box 'Require password reset'
Click: permissions
Step 7: Navigate to Users and click 'Add permissions'
Select 'Add User to Group' and click Create Group
Step 8: Select 'Administrator Access' and then click 'Create group'.
Step 9: Refresh your web browser so you can see the newly created Administrator group that was created under Users group.
Under the Administrator group full access is provided to AWS services
Step 10: Optional: Create a tag to help manage AWS resources
Step 11: Confirmation that new Administrator user has been successfully created
Details are shown of the Administrator user IAM credentials that can be sent to an email address and also downloaded as a csv file
for your record keeping to login as an IAM User.
An email displays your new login URL to help you login with your IAM User account credentials.
Step 12: Login to your AWS account using your IAM credentials and password with the dedicated URL link provided from your email
Reference
- AWS IAM documentation
- AWS Single Sign-On
- Creating IAM admin user and user group
- AWS Root User account
- Create a tag
Happy Learning! ๐
Next Tutorial: Creating a S3 bucket with audio files - Conversational AI part 2
Top comments (2)
Some thoughts here
dev.to/rasharm_/multi-cloud-makes-...
Thanks Raman for sharing your article on Multi-Cloud, I love it! Provides great insight into the pragmatic adoption for startups for both GCP and AWS to look after the needs of different clients. I can relate I used to work for a startup :)