IAM INTRODUCTION :
- AWS Identity and Access Management (IAM) is a service that allows you to manage users and their access to AWS.
- Your whole AWS security revolves around IAM.
- IAM is a global service. It’s not bound to any specific region.
IAM allows you to control
- Identity: who can use your AWS resources (Authentication)
- Access: what resources they can use (Authorization)
When you create AWS account, that very first account is called
as Root account.
When you first start with AWS you get a root access key. Root access key provides complete access to your AWS account and you should never use them.
So you basically need to delete your root access key.
You can set up MFA (Multi-Factor Authentication) for extra security.
IAM FEATURES :
- IAM provides you with centralized control of your AWS account.
- It provides shared access to your AWS account.
- You can grant other people access to your AWS account.
- It allows you to set Granular permissions.
- You can grant specific permission to specific users. For example, you might allow a user access to only some set of services only.
- Identity Federation (including Active Directory, Facebook, LinkedIn etc)
- Users can log in by using their company credentials without having an account with AWS.
- Multifactor Authentication
- This is two-factor authentication. User not only need to provide password or access key but also code from physical devices such as android or ios smartphone.
- Support PCI DSS compliance.
- IAM supports the processing, storage, and transmission of credit card data
- Provide application running on EC2 access to AWS resources.
- You can have your application running on EC2 secure access to AWS resource.
- IAM integrates with almost every AWS service.
- Since it’s a fundamental or core service that provides security, IAM integrates with almost all AWS services.
- Free to use
- IAM is a completely free service to use.
IAM COMPONENTS :
- User is an AWS identity.
- User is basically a physical person.
- This physical person will get an account in IAM.
- New users have no permission when first created.
- Group basically means a set of IAM users.
- Groups are basically defined by their function for example Developers, Admin etc.
- Instead of assigning the same permission to every other user individually, you can assign that permission to group and add all the users in that group.
- All the users in this group will inherit the permission of the group.
- Role is an IAM identity that has specific permissions.
- Role is similar to User.
- But it is not associated with a specific person, a role is assumed by anyone who needs it.
- Role doesn’t have standard long term credentials such as password, it works on temporary security credentials for a session.
Roles can be assigned to :
- An IAM user in the same account as role in.
- An IAM user in a different account than the role.
- An AWS service such as EC2.
Policies are JSON documents.
They define what User, Group and Roles can do or cannot do.
Permissions are governed by policies.
AWS provides you with many built-in policies that already have permissions according to use cases. This is the AWS managed policies.
You can also create your own policy as well.
- IAM Federation is a feature which can be used by big enterprises.
- Generally, big enterprises have their own repository of users. Using IAM Federation such enterprises can integrate their own repository of users with IAM.
- This way users of such enterprises can log in into AWS using their company credentials.
- Identity Federation uses the SAML standard
read rest of the tutorial here http://cloudforgeeks.com/aws-identity-access-management-iam-overview/
AWS Identity Access Management (IAM) explained. This article covers IAM fundamentals. Learn AWS IAM and use it in your own AWS account.