AWS Identity and Access Management

AWS Identity and Access Management (IAM) is a foundational service in AWS for controlling access and permissions within an AWS account. Here are the core components:

1. User

• Definition: A user is an entity created to represent an individual or application needing access to AWS resources.
• Characteristics: Each user has a unique identity and can have unique permissions. AWS IAM allows attaching policies directly to users, defining what resources and operations they are allowed to access.
• Authentication: Users can authenticate with a username and password for AWS Management Console access or use access keys for programmatic access through the AWS CLI or SDKs.

2. Group

• Definition: A group is a collection of IAM users. It helps manage permissions for multiple users at once.
• Purpose: Groups allow us to assign permissions collectively to multiple users by attaching policies to the group rather than each user individually. For instance, we could create a “Developers” group with specific permissions and add all developers to this group.
• Limitations: Groups cannot be nested (i.e., we cannot create a group within another group). Permissions are inherited from the policies attached to the group.

3. Role

• Definition: A role is an IAM entity with a set of permissions that can be assumed by users, applications, or services.
• Purpose: Roles are used for granting temporary access to AWS resources without creating a user or sharing access keys. They are particularly useful for granting cross-account access and enabling applications or AWS services to access resources.
• Assumption: Roles can be assumed by AWS services (e.g., an EC2 instance or Lambda function) or external identities (e.g., users from another AWS account or an identity provider).
• Temporary Security Credentials: When a role is assumed, it provides temporary security credentials (usually a limited-duration access key, secret key, and session token).

4. Policy

• Definition: A policy is a JSON document that defines permissions. It specifies actions, resources, and conditions under which access is allowed or denied.
• Types:
  • Managed Policies: Created and managed by AWS (AWS managed policies) or the customer (customer-managed policies). These can be attached to multiple users, groups, or roles.
  • Inline Policies: Embedded directly within a single user, group, or role, making them exclusive to that entity.
• Structure: Policies include statements defining Effect (Allow/Deny), Action (API calls that can be made), Resource (which AWS resources are affected), and optional Condition (criteria for access control).
• Policy Evaluation: When a request is made, IAM evaluates policies to determine if access should be granted. It combines permissions from all policies (attached to user, group, or role) to make this decision.

Summary

These components work together to manage access control in AWS:

• Users and groups handle direct access management for individuals and teams.
• Roles provide temporary and cross-account access for users or services.
• Policies define permissions and can be attached to users, groups, or roles to enforce fine-grained access control.

IAM’s flexibility and granularity make it essential for securely managing AWS resources and ensuring compliance with organizational policies.