AWS Identity and Access Management (IAM) is a web service that helps you securely manage access to AWS resources. IAM enables you to create and manage users, groups, and permissions, allowing you to control access to AWS services and resources in a secure and flexible manner.
Key Features of AWS IAM:
User and Group Management:
Users: You can create IAM users to represent individuals or applications that need access to your AWS resources. Each user can have their own set of credentials (username and password, or access keys).
Groups: Users can be organized into groups for easier permission management. You can assign permissions to a group, and all users in that group will inherit those permissions.
Permissions and Policies:
IAM Policies: Policies are used to define permissions (who can access what, and what actions they can perform) and are assigned to users, groups, or roles. These policies are written in JSON format.
Managed Policies: AWS provides a set of predefined policies that can be directly attached to users, groups, or roles. You can also create custom policies based on specific needs.
Inline Policies: Inline policies are policies that are embedded directly within a user, group, or role. They are unique to the entity they are attached to and cannot be reused.
Roles:
IAM roles are used to delegate permissions. They allow trusted entities (such as users, applications, or services) to assume the role and perform actions on behalf of the role.
Use Cases: Roles are commonly used in scenarios like giving EC2 instances permission to access S3 buckets or allowing cross-account access.
Temporary Credentials: IAM roles provide temporary security credentials when assumed by a trusted entity, which is useful for delegating access without long-term access keys.
Multi-Factor Authentication (MFA):
AWS supports MFA to enhance security. You can require users to authenticate with both their password and an additional verification method (like an MFA device or mobile app).
MFA is recommended for sensitive operations and is a strong security measure for accessing AWS resources.
Access Control:
Least Privilege Principle: IAM helps enforce the least privilege access model by ensuring that users and applications only have the permissions necessary for their tasks.
Fine-Grained Access Control: IAM policies can be fine-tuned to control specific actions on specific resources (e.g., read-only access to an S3 bucket, full access to EC2 instances).
Temporary Security Credentials:
IAM supports the generation of temporary security credentials via roles, which are ideal for users or applications that require short-term access (for example, to assume a role for a limited time).
AWS Security Token Service (STS) can be used to generate temporary credentials.
Access Advisor:
IAM Access Advisor helps you analyze which services and actions are being used by your IAM users and roles, providing insights into unused permissions that can be removed.
Resource-Based Access Control:
IAM allows you to define policies that can be attached directly to resources, such as S3 buckets or Lambda functions, to control access at the resource level.
Bucket Policies and Access Control Lists (ACLs) for S3 are examples of resource-based policies.
AWS Organizations Integration:
AWS Organizations allows you to manage multiple AWS accounts in a centralized manner. IAM integrates with AWS Organizations to allow cross-account access and centralized user management across accounts.
IAM Components:
| Component | Description |
|---|---|
| Users | Represent individual people or applications that need access to AWS resources. |
| Groups | Organize users into groups to simplify permission management. |
| Roles | Define permissions that can be assumed by trusted entities like users, EC2 instances, or other AWS services. |
| Policies | Define permissions (in JSON format) attached to users, groups, or roles to control actions on AWS resources. |
| MFA | Multi-Factor Authentication provides an extra layer of security by requiring more than one method of authentication. |
| Temporary Credentials | Provide short-lived credentials to assume roles and access AWS resources for a limited time. |
| Access Advisor | Helps identify unused permissions associated with IAM users and roles. |
| IAM Identity Center | Centralized management of identity and access across AWS services and accounts, formerly AWS SSO. |