IAM in AWS

Introduction to IAM

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage users and their level of access to the AWS console, ensuring that only authorized personnel can access specific resources.

In other words, we can also say IAM provides Authentication and Authorization for the users in accessing the AWS resources.

Authentication

IAM handles authentication by verifying the identities of users and services attempting to access AWS resources.

Authorization

IAM manages authorization by defining permissions and policies that determine which resources users and services can access and what actions they can perform. Policies are attached to IAM identities (users, groups, and roles) to grant or deny permissions.

Components of IAM

1.Users: Users in IAM are individual identities with unique credentials and permissions. For example, you might create an IAM user for each person who needs access to your AWS account.

2.Policies: Policies are JSON documents that define what actions are allowed or denied on AWS resources. Policies can be attached to users, groups, or roles to specify their permissions. For example, you can create a policy that allows users to launch and manage EC2 instances but restricts them from deleting instances.

3.Groups: Groups are collections of users that simplify permission management. Instead of assigning permissions to each user individually, you can create a group and assign permissions to the group. Any user added to the group will inherit those permissions. For instance, you might create a "Developers" group with permissions to access EC2 instances and S3 buckets. When new developers join your team, you can add them to the group, and they'll automatically have the necessary permissions without manual configuration.

4. Roles: IAM roles are like IAM users, as both can access services. However, roles have temporary passwords and IDs, while users have permanent ones. Roles are important when an application or service needs to access AWS services. We can't give permissions directly to applications or services, so roles are created outside of AWS to provide temporary credentials for accessing AWS services from outside.

Practical part

  • Creating an IAM User: To create an IAM user, go to the IAM console, select "Users," and click "Add user." Provide a username, select the access type (console or programmatic), and set a password. Assign policies to the user to grant the necessary permissions. For example, you might assign a policy that allows the user to access specific S3 buckets.

  • Assigning Policies to Users: After creating an IAM user, you can assign policies to define their permissions. For example, assign a policy that allows the user to perform actions like launching and stopping EC2 instances. This ensures that each user has the right level of access to perform their tasks.

  • Creating Group in IAM: To create a group in AWS IAM, navigate to the IAM console and select "Groups" from the sidebar. Click "Create New Group," enter a group name, and proceed to the "Attach Policy" page. Select the policies you want to associate with the group to define permissions. Finally, review your selections and click "Create Group" to finalize the process.