After covering the IAM section in the Certified Cloud Practitioner course, I thought it would be helpful to others and myself to briefly summarize what I have learned about it!
IAM stands for Identify and Access Management. It enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to and allow and deny their access to AWS services.
Users in IAM are people within your organization. IAM gives you the ability to group users with a group name. Users are not required to be grouped, however it does help with organization! When grouping users, you are given the option to set policies/permission to that group. For example, if you have an Admin group, you might attach the “Administrator Access” policy to that group. This would give any user in the Admin group Administrator Access for AWS services and resources.
Policies in AWS are JSON documents that outline permissions for users or groups in your organization. In AWS, it is common to use the least privilege principle. The least privilege principle is that you do not give more permissions to a user than the user needs.
Every user is required to have a password to sign into AWS. IAM allows you to set up a password policy for the users in your organization. The IAM password policy lets the organization:
- Set a minimum password length
- Require specific character types
- Allow all IAM users to change their own passwords
- Require users to change their password after some time
- Prevent password re-use For extra security, IAM provides organizations to use Multi Factor Authentication for the root account and user accounts as well!
At first, IAM roles were a little hard to understand for me. Some services in AWS need to perform actions on behalf of the organization. To allow this to happen, we need to assign permissions to AWS services with IAM roles. What helped me understand this a little bit better was when I realized that an AWS service is like a user, it will need certain permissions. To assign permissions to a service we will need to use IAM roles. They are intended to be used not by physical people but by AWS services.
IAM also provides security tools for the organization and its users. An IAM Credentials Report is used for the organization( root account) which reports a list of all the users and the status of their various credentials in the organization. An IAM Access Advisor shows the service permissions granted to a user and when those services were last accessed.
IAM is a pretty neat management tool that AWS provides. I think it is a great way to stay organized when your organization is scaling at a fast pace, it was interesting learning about it! Up next is a dive into the Elastic Compute Cloud (EC2)!