Identity and Access Management

Identity and Access Management

In this tutorial, we are going to explore about What is Identity and Access Management (IAM) and IAM services that we can use to implement the required secure access in our account. We’ll also discuss some other services that assist us in managing the AWS accounts.

Identity and Access Management (IAM) is a service provided by AWS that allows you to control who has access to your AWS resources, what actions they can take, and under what conditions they can perform those actions. IAM is essential for securely managing access to AWS, enabling you to grant the right permissions to the right people or services while protecting resources from unauthorized access.

IAM (Identity and Access Management) is a security and management service of AWS. It is a global service that helps us provide external entities with secure access to AWS services or resources within our account. It takes care of both authentication (who is accessing the AWS account) and authorization (which services/resources is the authenticated entity accessing).

Identity and Access Management
Why do we need IAM?

When we create an AWS account, we are provided with the login credentials. Using those credentials, we can log in as the root user. A root user has unrestricted access to all the AWS services and resources within our account. When working with AWS, we may need to provide different users or applications access to AWS services or resources. Providing them with the root user credentials is risky as it may lead to security breaches. Identity and Access Management (IAM) helps us provide that required access. It helps us create resources representing the requesting entities in our account and define their scope of permissions. Along with this, it helps us monitor, manage, and modify this access as per our requirements.

Role of IAM
Why IAM is Important
  • Security: IAM secures access to AWS resources, helping prevent unauthorized access by enforcing the principle of least privilege.
  • Control: With IAM, you can define granular permissions and assign them to specific identities based on their role or need.
  • Flexibility: IAM’s roles and policies allow you to manage access for both human users and services, enabling secure and efficient use of AWS resources.
  • Audit and Compliance: IAM supports auditing with AWS CloudTrail, allowing you to monitor actions and track changes to permissions.
Components of IAM

AWS Identity and Access Management (IAM) consists of several core components, each playing a vital role in managing and securing access to AWS resources.

1. IAM Users

  • Represents an individual (person, application, or service) that needs access to AWS resources.
  • Each user has a unique identity within the AWS account and can be given credentials, such as a password (for AWS Management Console access) and access keys (for programmatic access through the AWS CLI or SDKs).
  • Permissions are assigned to users via policies.

2. IAM Groups

  • A collection of IAM users that allows you to manage permissions for multiple users at once.
  • Users inherit permissions from the group they are assigned to, simplifying permissions management.
  • Common group names might include “Admins,” “Developers,” or “ReadOnlyUsers,” each with tailored permissions.

3. IAM Roles

  • Allows temporary access to AWS resources and can be assumed by users, applications, or other AWS services.
  • Ideal for granting temporary permissions to users, applications, or services without needing to create permanent IAM users or credentials.
  • Often used for granting permissions to EC2 instances, Lambda functions, and cross-account access.

4. Policies

  • Documents written in JSON format that define permissions (allowed or denied actions) for users, groups, or roles.
  • Managed Policies: Can be AWS-managed (predefined by AWS) or customer-managed (created and customized by the user).
  • Inline Policies: Policies embedded directly in a single user, group, or role; they cannot be shared and are specific to the entity they’re attached to.

5. Multi-Factor Authentication (MFA)

  • An added layer of security that requires users to provide a second form of authentication (like an MFA token) in addition to a password.
  • Helps secure AWS accounts, especially for privileged or sensitive roles.

6. Identity Providers and Federation

  • Allows integration with external identity providers, enabling users to sign into AWS using credentials from corporate directories or social identities.
  • Federation: Supports SAML 2.0 and OpenID Connect (OIDC) to connect with external systems and enable single sign-on (SSO) for seamless access.

7. Access Keys

  • Consist of an Access Key ID and a Secret Access Key and are used to authenticate programmatic requests (through the AWS CLI, SDKs, or APIs).
  • Assigned to IAM users and are ideal for applications or scripts that need to access AWS resources programmatically.

8. Resource-Based Policies

  • Attached directly to resources, like S3 buckets, SQS queues, and SNS topics, allowing fine-grained control over who can access that resource.
  • Allows cross-account permissions, making it possible to grant access to users, roles, or accounts without using IAM policies.

These IAM components enable AWS customers to manage access securely and flexibly across various AWS services and resources, ensuring that users, applications, and services have the appropriate permissions needed to perform their tasks.

How IAM works

AWS Identity and Access Management (IAM) provides centralized control over who is authenticated (signed in) and authorized (has permissions) to use AWS resources. Identity and Access Management works by allowing users to define and enforce permissions through policies, ensuring that only authorized identities can access resources.

When an entity requests access to any of the AWS services or resources, that request is first analyzed by IAM. IAM checks the credentials provided by the requesting entity to authenticate it. After the requesting entity has been authenticated, it analyzes the permissions granted to the entity and checks if the current request falls into that pool of permissions. Upon verifying that the requesting entity is authorized to access the requested service/resource, IAM provides the requesting entity with the required access.

IAM workflow

If the requesting entity fails any of these checks, its request is denied, and an appropriate denial reason is sent as the response to its request.

In summary, Identity and Access Management (IAM) is the central security and access control service in AWS, critical for managing who can access your resources and how. By defining and enforcing permissions, Identity and Access Management helps protect your AWS environment while maintaining flexibility for users and applications.

That’s all about the AWS Identity and Access Management (IAM). If you have any queries or feedback, please write us at contact@waytoeasylearn.com. Enjoy learning, Enjoy AWS Tutorials.!!

Identity and Access Management
Scroll to top