AWS IAM & Its Features — Day 1

What is IAM? — Allows to manage users and their level of access to AWS Control.(nothing but centralized manage users for single organization).

IAM stands for Identity Access Management.

1. IAM is web service that enables AWS Customers to manage users and user permission in AWS.
2. IAM set user permissions,roles and allows you to grant access to different parts of AWS platform.
3. Let say without IAM what will happen? then organization should have to create multiple user accounts and it has each own billing and subscription to AWS Products.
4. Without IAM cannot control about the tasks that user can do.
5. As Already said, IAM enables the organization to create multiple users , each with its security credentials, controlled & billed to single AWS account.

AWS Account Root User : When we first create AWS account (that has complete access to all AWS services and resources in account [Unrestricted access]). This identity is called root user.

Root User can also change password and view billing information.

Sign In in AWS Management Console:

1. By Using Email address and password
2. Combination of Email address and password (root user credentials)

Features of IAM:

1. Centralized Control & Shared Access of AWS Accounts.
2. Granular Access (Access to Only Particular Services)
3. Temporary Credentials
4. Flexible Security Credential Management
5. Integrate with Many AWS Services.
6. Eventually Consistent (Across Amazon data center around world)… so on.

IAM Identities: — are created to provide authentication for people/process in AWS account.

IAM Identities are categorized into 3:

1. IAM users
2. IAM Groups
3. IAM Roles

What is IAM users & Why ? — (Entity we create in AWS), IAM user Represents the person or service who uses the IAM user to interact with AWS.

1. Primary use of IAM User is to Sign in to AWS Management console for interactive tasks and to make programmatic requests to AWS Services using the API or CLI.
2. Each IAM user is associated with one and only AWS account.
3. A user in AWS consists of name, password to sign in AWS Management console and up to two access keys that can be used by API or CLI.

Creating an IAM User (AWS Management Console):

• Sign in to the AWS Management Console.
• Open the IAM Console
• On the navigation pane, click on the Users. After clicking on the Users, the screen appears which is shown below:

• Click on the Add User to add new users to your account. After clicking on the Add User, the screen appears which is shown below:

Enter the User name for the user you want to create. You can create five users at a time.

• Select the AWS access type. Either you want a user to have programmatic access, AWS Management Console access or both.
• You can also give permission to the user to manage his or her security credentials.
• We can create user by AWS CLI Command and API also.

What is IAM Groups & Why ? — (Collection of IAM Users), We can use groups to specify permissions for a collection of users,(which make easier to manage users instead of giving individual access).

1. Any User in the group automatically has the permissions that are assigned to group.
2. Note Group is not truly an identity cannot be identified as Principal.(its only way to attach policies to multiple users at one time)

Creating an IAM Group (AWS Management Console) and attache policies required to group.

• We can create user by AWS CLI Command and API also.

What is IAM Roles & Why ? — (Similar to IAM User) — IAM Role is identity with Permission Policies that determine what i can do and cannot do in AWS.

1. Role doesn’t have any credential associated with it.
2. An IAM user can assume a role temporarily take on different permissions for a specific task.
3. A role can be assigned to a federated user who signs in using third party provider instead of AWS.

Now there will be confusion! When to create IAM User or when to Create IAM Role?

• It also allows the mobile app to access the AWS resources, but not want to store the keys in the app.
• It can be used to grant access to the AWS resources which have identities outside of AWS.
• It can also be used to grant access to the AWS resources to the third party so that they can perform an audit on AWS resources.
• Sometimes want to access AWS resources (Inside AWS or another AWS account) during that time grant access to user.

Important Terms associated with IAM Roles:-

Delegation : is a process of granting permission to the user to allow to the AWS resources that we control.

Delegation is sets up by the trusted account(who owns the AWS resources) and trusting account (needs the access to AWS resources).

Trusting & Trusted account is categorized into 3:

1. Same account.
2. Two different accounts under same organization.
3. Two different accounts owned by different organizations.

To delegate permission to access the resources , IAM role is created in trusting account by two policies.

1. Permission Policy: Grants the user with role the needed permissions to carry out the intended tasks.
2. Trust Policy : (specifies which trusted account members can use role).

a. Federation : Process of creating the trust relationship between external service provider ans AWS.

b. Trust Policy: (JSON Format) to define who is allowed to use this role.(written in IAM Policy language)

c. Permission Policy: (JSON Format) to define the actions and resources that role can use.(written in IAM Policy language)

d. Permissions Boundary: (advanced feature of AWS) in which limit the maximum permission that role can have, which is applied to both IAM User & role.

e.Principal : can be IAM User,Role or AWS account root user. Here Permission granted in 2 ways.

1. Attache a Permission Policy to the role.
2. services that supports resource based policies, can identify the principal in the principal element of policy attached to the resource.

f.Cross Account access : (Roles Vs Resource Based Policies) — allows you to grant access to the resource in one account to the trusted principal in another account.

IAM Roles and Use Cases:

2 ways to use the roles:

1. IAM Console: When IAM users working in IAM console and want to use the role, then they can access the permission of role temporarily by giving up their original permission of the role, when user exists the role original permission restored.
2. Programmatic Access:An AWS Service such as EC2 Instance can use role by requesting temporarily security credentials using the programmatic requests to AWS.

An IAM Role can be used in the following ways:

1. IAM User
2. Applications and services
3. Federated Users.

Following are the cases of Roles:

1. Switch to a role as an IAM user in one AWS account to access another account that you own.
2. Providing access to an AWS Service.
3. Providing access to external authenticated users.(sometimes users have identities outside of AWS such as corporate directory , if such users want to work with AWS resources then they should have security credentials ? In such situation role to specify the permission for third party identity providers[IDP]).

• Web-Identity federation — Users do not require any custom sign in or user identities.user can use any external identity provider (Facebook,amazon,google..),after login users get authentication token , and they can exchange authentication token for receiving temporary security credentials.
• SAML — Based Federation (Security Assertion Markup language) is open framework where many identity provider uses, which provides single sign-on to access AWS Management console.

4. Providing access to third parties: (when third party want to access the AWS resources then they can use roles to delegate access to them without sharing security credentials).

Creating IAM Roles:

Step : 1

Step : 2

Attach policies if required (JSON format Trust , Permission Policy)

Step : 3: Add Role Name , Description … and create role will create.

Step :4 Creating IAM roles for an IAM User. (sample where you can do same)

Hope the basic things of IAM are clear,in next part let see about EC2 (Elastic Compute Cloud).

In case of queries please feel free to comment!. Thanks for the time.