AWS Identity Access Management – IAM Overview

IAM INTRODUCTION :

• AWS Identity and Access Management (IAM) is a service that allows you to manage users and their access to AWS.
• Your whole AWS security revolves around IAM.
• IAM is a global service. It’s not bound to any specific region.

• IAM allows you to control

  • Identity: who can use your AWS resources (Authentication)
  • Access: what resources they can use (Authorization)

• When you create AWS account, that very first account is called
  
  as Root account.

• When you first start with AWS you get a root access key. Root access key provides complete access to your AWS account and you should never use them.

• So you basically need to delete your root access key.

• You can set up MFA (Multi-Factor Authentication) for extra security.

IAM FEATURES :

• IAM provides you with centralized control of your AWS account.
• It provides shared access to your AWS account.
  • You can grant other people access to your AWS account.
• It allows you to set Granular permissions.
  • You can grant specific permission to specific users. For example, you might allow a user access to only some set of services only.
• Identity Federation (including Active Directory, Facebook, LinkedIn etc)
  • Users can log in by using their company credentials without having an account with AWS.
• Multifactor Authentication
  • This is two-factor authentication. User not only need to provide password or access key but also code from physical devices such as android or ios smartphone.
• Support PCI DSS compliance.
  • IAM supports the processing, storage, and transmission of credit card data
• Provide application running on EC2 access to AWS resources.
  • You can have your application running on EC2 secure access to AWS resource.
• IAM integrates with almost every AWS service.
  • Since it’s a fundamental or core service that provides security, IAM integrates with almost all AWS services.
• Free to use
  • IAM is a completely free service to use.

IAM COMPONENTS :

Users

• User is an AWS identity.
• User is basically a physical person.
• This physical person will get an account in IAM.
• New users have no permission when first created.

Group

• Group basically means a set of IAM users.
• Groups are basically defined by their function for example Developers, Admin etc.
• Instead of assigning the same permission to every other user individually, you can assign that permission to group and add all the users in that group.
• All the users in this group will inherit the permission of the group.

Roles

• Role is an IAM identity that has specific permissions.
• Role is similar to User.
• But it is not associated with a specific person, a role is assumed by anyone who needs it.
• Role doesn’t have standard long term credentials such as password, it works on temporary security credentials for a session.

• Roles can be assigned to :

  • An IAM user in the same account as role in.
  • An IAM user in a different account than the role.
  • An AWS service such as EC2.

• Policies

• Policies are JSON documents.

• They define what User, Group and Roles can do or cannot do.

• Permissions are governed by policies.

• AWS provides you with many built-in policies that already have permissions according to use cases. This is the AWS managed policies.

• You can also create your own policy as well.

IAM FEDERATION

• IAM Federation is a feature which can be used by big enterprises.
• Generally, big enterprises have their own repository of users. Using IAM Federation such enterprises can integrate their own repository of users with IAM.
• This way users of such enterprises can log in into AWS using their company credentials.
• Identity Federation uses the SAML standard

read rest of the tutorial here http://cloudforgeeks.com/aws-identity-access-management-iam-overview/
AWS Identity Access Management (IAM) explained. This article covers IAM fundamentals. Learn AWS IAM and use it in your own AWS account.