Introduction to AWS IAM

Deepak Sharma
tech_vichaar
Published in
3 min readJan 4, 2020
AWS IAM Dashboard
AWS IAM Dashboard

Listed under Security, Identity and compliance section, Amazon Web Services (AWS) Identity and access Management (IAM) is one of the most used service on the platform.

Why we need IAM in first place?

In a typical Organization, we use only 1 AWS account for all our engineering and management requirements. So, if x number of persons need to access different AWS services, we have to share root AWS account credentials with each of them, which pose a big security challenge. There stands a chance for credentials getting compromised and hence disaster can happen.

What is Identity Access Management (IAM) and How it helps ?

IAM allows us to securely control individual and group access permissions to AWS resources. We can manage user and group entities and grant them limited permissions to access resources in a secure and restricted way.

IAM users are global in nature that means they need not to be in particular region for successful log in.

IAM has few points to understand:

  • IAM Users: A User can be individual, a system, or an Application requiring access to AWS services.
  • IAM Groups: Groups of Users, say engineering Group, HR Group.
  • IAM Role: Its is a set of permissions for making a request. Basically roles are used by a service to interact with other service. say Server needs to read data from database, so service need to have a specific role with required read Database permissions to perform the action.
  • IAM Policy: A policy defines the AWS permissions that we can assign to a user, group, or role.
  • IAM Identity Providers: If we wish to integrate Single Sign On(SSO) with short lived tokens in federation with external services like Google, Facebook .

Now lets assume,
1. HR team need access to S3 (Simple Storage Service) only to upload and download files (our beautiful resumes).

2. Management need Read only access to deployed Service Analytics and cost Monitoring.

3. Engineering Team need only permission to read, write to new services.

So, Ideally Admin will Initially create each User Accounts:

IAM Users List
IAM Users

Attach with them respective Role Policies, Push them to respective Group:

And finally forward them required credential to sign in and carry on their respective assignments.

User lists with credentials
User list with credentials

So, above users with provided credentials have limited access to AWS Services. Apart from that they are not allowed to interact with any other services of AWS.

We can always Add, Modify, Update and Delete provided Users, Groups and Policies based on requirements with few click in IAM Dashboard.

Catch me on LinkedIn

--

--

Deepak Sharma
tech_vichaar

Software Engineer @RedHat. Loves R&D, DevOps, and Engineering. Football and Chess are Love. https://finddeepak.com