Architecting your environment in AWS—or any cloud, for that matter—is just the beginning. Like any other asset, it must be managed. But the typical cloud has many moving parts, i.e. services that need to be run, monitored, and managed. The right thing to do, of course, is to delegate tasks. But delegating tasks means assigning permissions, which can be misused—wilfully or otherwise—so these too need to be managed. AWS Identity and Access Management (IAM) is a service that allows you to do just that. IAM enables you to control access to all the AWS resources in your infrastructure as well as those you might need going forward. IAM allows you to control who is allowed to use which resources.
When you first create your AWS account, you start with a sign-in id. This identity, called the AWS root user, consists of the email address and password you used to register for the account. AWS strongly recommends that the root user credentials are properly safeguarded and used only to perform certain tasks, viz, which only the root user can perform. The full list of these tasks can be accessed in AWS documentation, at
https://docs.aws.amazon.com/
IAM Features
Shared access
IAM allows you to give other people permission to use and administer resources in your AWS account without sharing your password or log-in.
Fine-grained access
You can give different people different permissions for specific resources. For instance, you can give some people access to Amazon EC2 (Elastic Compute Cloud), S3 (Simple Storage Service), DynamoDB, and other specified AWS resources, you can grant read-only permissions to administer certain EC2 instances, or access only certain S3 buckets. You can even allow outside users who might already have passwords elsewhere (with an internet identity provider, like Facebook or Google, for instance) to gain access temporarily to your AWS account.
Authenticating IAM Users & Groups
All users must be authenticated before using any AWS services, which can be accessed in the following ways:
Through the AWS management console—a browser-based interface
Through the AWS command line interface and command line tools—this is faster and more convenient than using the console. The tools can be used to write scripts that perform AWS tasks
Using AWS software development kits (SDK) These kits are provided by AWS and consist of libraries for a variety of programming languages and platforms like Python, Ruby, .Net, Android, iOS, etc
IAM HTTPS API—access IAM programmatically by issuing HTTPS requests, but you must include code to digitally sign requests with your credentials
Users and User Groups
Each user has specific permissions with access to specific resources to perform specific tasks. You can create users in your AWS account to match people in your organization.
As the number of users managing your account grows in number, you might find it easier to manage permissions for multiple IAM users using IAM Groups. Each member of the group will have the same permissions.
After a user has been authenticated, they need to be authorized to use certain resources. This is because by default users are granted access to anything in your AWS account. You need to manage this by creating a policy. You can assign the policy to an individual user or a group. When you assign a policy to a group, all the members in the group get the same permissions by default.
IAM Policies
An IAM policy is a JSON document that lists permissions explicitly. Any actions or resources that are not granted in the document are denied to the user. The IAM policy tells you:
Who is authorized? This could be a user/group or another user in AWS
Which task is allowed?
What conditions must be met for authorization, e.g. IP address?
The resources on which the authorized tasks can be performed
IAM Roles allow users to assume certain permissions temporarily in order to undertake specific tasks
IAM Roles
An IAM role is an identity that is linked to resource-based policies.
It allows you to grant access to users or services that wouldn’t normally have access to your AWS resources. These users or services can temporarily assume the specific role and get the security credentials needed to make AWS API calls.
It is similar to a user, in that it grants the user permission—or denies permissions—to do certain things. Roles do not have any long-term credentials like access keys or passwords; these are created dynamically when a user is assigned to a certain role. Note that a user who assumes a role gives up his/her own permissions and assumes the permissions granted with the role. Roles offer a secure way to pass credentials temporarily to a user so they can complete a certain job.
Takeaway
AWS IAM lets you create users and groups to help you manage your AWS cloud. You can manage IAM roles and their permissions using policies that specifically grant or withhold permissions to take certain actions on certain resources. When you attach a policy to a user group, all the members of that group assume the same permissions. You can also grant temporary permissions using IAM roles. IAM also enables the use of identity federation to allow existing entities in your enterprise to access your AWS account without creating separate IAM policies for each identity.
