by Mohdqaz
What is IAM (Identity Access Management)
AWS IAM is a short form for AWS Identity Access Management . Why is IAM important in AWS?
- Centralized control of your AWS account
- Shared access to your AWS account
- Granular permission
- For example, I want people to access this server but not that server
- Identity federation
- Easiest way to explain this is access using Facebook or Google credential
- Multi-factor (MFA) authentication
- Using username, password and another way (second way) of identifying yourself for example using Google Authenticator
- Temporary access for users / devices when necessary
- Allow administrator to set password rotation policy
- Integrates with many different AWS services
- Support PCI DSS compliance
- If you take credit card details, it will need to be compliance with PCI DSS framework
Following are Key Terminology (main concept) that is being used in IAM
User
- Root User:
- The first user created is Root user which is created during AWS Account creation.
- Root user can be accessed by using email address and password used to create AWS Account
- Anyone having access to the Root user will have unrestricted access to all AWS Resources under that account
IMPORTANT
Do not use root user for daily task even the administrative ones. Keep the Root account safe to perform management task that really needs to use Root User
- Click here for AWS Best Practice for Root User
- (AWS Best Practice is the recommended way from AWS to perform tasks or management based on years of experience with their clients)
- IAM User doesn’t have to be an actual person. For example, and application need to access AWS, you can create an IAM user in order to get Access Key which later can be used by that application
- Remember that for all users (except for Root user), permission must be given that grant access to AWS Services. By default, new users created do not have any access to the any service
Group
- What is AWS Group?
- AWS Group are a collection of several users
- Users can then belong to multiple groups
- It is easier to assign permission to the group rather than assigning the permission one by one to users
Policy
- What is Policy? Policy defines:
- What Users / Groups / Roles can perform
- On which resources (S3 / EC2 / RDS / etc) tasks can be done
- Condition that the tasks can be performed
- Most policies are stored in AWS as JSON documents
Roles
- What is Role?
- IAM Roles is similar to IAM User as it is also an identity
- With a policy that determine what the identity can or cannot do in AWS
- What makes it different from User is it doesn’t have any password or access keys
Whizlabs
Hands-on Lab, Exam Practice Questions, E-Learning
AWS Document
For official information from AWS