AWS (IAM) enables you to manage access to AWS services and resources securely.

• AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users.
• IAM is used to control Identity — who can use your AWS resources (authentication)
• Access — what resources they can use and in what ways (authorization)
• IAM can also keep your account credentials private.
• With IAM, multiple IAM users can be created under the umbrella of the AWS account or temporary access can be enabled through identity federation with corporate directory.or third party providers
• IAM also enables access to resources across AWS accounts.

IAM Features

• Shared access to your AWS account
• Grant other people permission to administer and use resources in your AWS account without having to share your password or access key.
• Granular permissions
• Each user can be granted with different set granular permissions as required to perform their job
• Secure access to AWS resources for applications that run on EC2
• IAM can help provide applications running on EC2 instance temporary credentials that they need in order to access other AWS resources
• Identity federation
• IAM allows users to access AWS resources, without requiring the user to have accounts with AWS, by providing temporary credentials for e.g. through corporate network or Google or Amazon authentication
• Identity information for assurance
• CloudTrail can be used to receive log records that include information about those who made requests for resources in the account.
• PCI DSS Compliance
• IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being Payment Card Industry Data Security Standard (PCI DSS) compliant
• Integrated with many AWS services
• IAM integrates with almost all the AWS services
• Eventually Consistent
• IAM, like many other AWS services, is eventually consistent and achieves high availability by replicating data across multiple servers within Amazon’s data centers around the world.
• Changes made to IAM would be eventually consistent and hence would take some time to reflect
• Free to use
• IAM is offered at no additional charge and charges are applied only for use of other AWS products by your IAM users.
• AWS Security Token Service
• IAM provide STS which is an included feature of the AWS account offered at no additional charge.
• AWS charges only for the use of other AWS services accessed by the AWS STS temporary security credentials.

Identities

IAM identities determine who can access and help to provide authentication for people and processes in your AWS account

Account Root User

• Root Account Credentials are the email address and password with which you sign-in into the AWS account
• Root Credentials has full unrestricted access to AWS account including the account security credentials which include sensitive information
• IAM Best Practice — Do not use or share the Root account once the AWS account is created, instead create a separate user with admin privilege
• An Administrator account can be created for all the activities which too has full access to the AWS account except the accounts security credentials, billing information and ability to change password.

IAM Users

• IAM user represents the person or service who uses the access to interact with AWS.
• User credentials can consist of the following
• Password to access AWS services through AWS Management Console
• Access Key/Secret Access Key to access AWS services through API, CLI or SDK
• IAM user starts with no permissions and is not authorized to perform any AWS actions on any AWS resources and should be granted permissions as per the job function requirement

IAM Best Practice — Grant least Privilege

• Each IAM user is associated with one and only one AWS account.
• IAM User cannot be renamed from AWS management console and has to be done from CLI or SDK tools.
• IAM handles the renaming of user w.r.t unique id, groups, policies where the user was mentioned as a principal. However, you need to handle the renaming in the policies where the user was mentioned as a resource

IAM Groups

• IAM group is a collection of IAM users
• IAM groups can be used to specify permissions for a collection of users sharing the same job function making it easier to manage
• IAM Best Practice– Use groups to assign permissions to IAM Users
• A group is not truly an identity because it cannot be identified as a Principal in an access policy. It is only a way to attach policies to multiple users at one time
• A group can have multiple users, while a user can belong to multiple groups (10 max)
• Groups cannot be nested and can only have users within it

AWS IAM Role

• IAM role is very similar to a user, in that it is an identity with permission policies that determine what the identity can and cannot do in AWS.
• IAM role is not intended to be uniquely associated with a particular user, group or service and is intended to be assumable by anyone who needs it.
• Role does not have any credentials (passwor or access keys) associated with it and whoever assumes the role is provided with a dynamic temporary credentials
• Role helps in access delegation to grant permissions to someone that allows access to resources that you control
• Role involves defining two policies
• Trust policy
• Trust policy defines — who can assume the role
• Trust policy involves setting up a trust between the account that owns the resource (trusting account) and the account who owns the user that needs access to the resources (trusted account)
• Permissions policy
• Permissions policy defines — what they can access
• Permissions policy determines authorization, which grants the user of the role the needed permissions to carry out the desired tasks on the resource
• Federation is creating a trust relationship between an external Identity Provider (IdP) and AWS
• Users can also sign in to an enterprise identity system that is compatible with SAML
• Users can sign in to a web identity provider, such as Login with Amazon, Facebook, Google, or any IdP that is compatible with OpenID connect (OIDC)
• MultiFactor Authentication (MFA)
• For increased security and to help protect the AWS resources, Multi-Factor authentication can be configured
• IAM Best Practice — Enable MFA on Root accounts and privilege users
• Multi-Factor Authentication can be configured using
• Security token-based
• AWS Root user or IAM user can be assigned a hardware/virtual MFA device
• SMS text message-based (Preview Mode)
• IAM user can be configured with the phone number of the user’s SMS-compatible mobile device which would receive a 6 digit code from AWS
• SMS-based MFA is available only for IAM users and does not work for AWS root account

IAM Access Management

• IAM Access Management is all about Permissions and Policies
• Permission allows you to define who has access and what actions can they perform
• IAM Policy helps to fine tune the permissions granted to the policy owner
• IAM Policy is a document that formally states one or more permissions.
• Most restrictive Policy always wins
• IAM Policy is defined in the JSON (JavaScript Object Notation) format

Identity-Based vs Resource-Based Permissions

• Identity-based, or IAM permissions
• Identity-based, or IAM permissions are attached to an IAM user, group, or role and specify what the user, group or role can do
• User, group, or role itself acts as a Principal
• IAM permissions can be applied to almost all the AWS services
• Resource-based permissions
• Resource-based permissions are attached to a resource for e.g. S3, SNS
• Resource-based permissions specifies both who has access to the resource (Principal) and what actions they can perform on it (Actions)
• Resource-based policies are inline only, not managed.