Open in app

Sign in

Write

Sign in

IAM [Identity & Access Management]

Fawaz C P
3 min readJan 27, 2023

--

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

IAM Policies

Identity Policies are attached to AWS identities and either ALLOW or DENY access to AWS resources. It is also known as a policy document [JSON].

#Example of JSON policy syntax
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket"
  }
}
  • IAM Policy Priorities

1- Explicit Deny:

If the statement says explicitly deny then that will consider the first priority.

2. Explicit Allow:

Explicit allowing comes the 2nd priority.

3. Default implicit Deny: [No Access]

If there is no Allow/ Deny statement then it will consider an implicit Deny.

Two types of policies

1– 1nline policies: [used for special / Exceptional access]

An inline policy is a policy that’s embedded in an IAM identity (a user, group, or role). That is, the policy is an inherent part of the identity. You can create a policy and embed it in an identity, either when you create the identity or later.

2- Managed policies: (Best practice)

An AWS-managed policy is a standalone policy that is created and administered by AWS. Standalone policy means that the policy has its own Amazon Resource Name (ARN) that includes the policy name. For example, arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS-managed policy.

→It can be used for multiple users/groups.

→ It is Reusable

→It is low management overhead

Managed policies are again 2 types

1- AWS managed policies.

2- Custom managed policies.

IAM users

IAM Users are an Identity used for anything requiring long-term AWS access. Example:- Humans, Applications, or service accounts.

IAM users- Exam Tips

  • We can create 5000 IAM users per account.
  • IAM users can be a member of 10 groups.

IAM Groups

  • IAM Groups are containers of users.
  • IAM Groups can have permissions attached.
  • 300 Groups per account by default but it can be increased by raising a support ticket.
  • Resource policy cannot grant access to an IAM Group.
  • Groups are not real identities and can’t be used from resource policies and have no Credentials to login with.

IAM Roles

  • IAM roles are also identities.
  • It is used on a temporary basis.
  • IAM Roles are assured and you become that role for a short period of time.
  • IAM role provides temporary security credentials to the identities.
  • These temporary credentials are called STS (Secure Token Service).
  • IAM Roles has two types of policies to be attached;

1- Trust Policy &

2- Permission Policy.

Use cases of IAM Roles:

  • It is always a preferred option when using AWS services to do something on your behalf.
  • A user can assume an emergency role when it is required.
  • The external account can’t be used for AWS resources directly. In that situation, we create a role inside AWS Account.
  • The role is also used to access other AWS account resources.

Service Linked Roles

  • It is an IAM role linked to a specific AWS service.
  • It is pre-defined by a service.
  • This role provides permissions that a service needs to interact with other AWS services on its behalf. Can’t delete this role until it’s no longer required.

If you want to know more about IAM, check out the AWS documentation https://aws.amazon.com/iam/

Happy Learning

Thank you!🤗

AWS
Identity Management
Cloud Computing
Training
Learning

--

--

Fawaz C P

Written by Fawaz C P

343 Followers

Cloud Engineer | AWS Community Builder | Enthusiastic in learning and adapting new skills.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams