IAM (Identity and Access Management)

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. AWS Identity and Access Management (IAM) will manage and scale workload and workforce access securely supporting your agility and innovation in AWS.

With the help of IAM we can manage the permissions that who can use the AWS services, which means authenticating a user (weather he/she is eligible) and authenticate (what type of actions can user perform in AWS).

IAM will achieve effective security from users through Users, Roles, Groups and Policies.

IAM users: Have their own credentials and can be given console or programmatic access.

IAM groups: Can be used to organize IAM users and attach policies to them. All users in a group have the permissions attached to the group.

IAM policies: Define the permissions for an identity or resource within an AWS account. Policies can be identity-based or resource-based.

IAM roles: Similar to IAM users, but are intended to be used by anyone who needs them.

Creating IAM user:

Go to AWS Management Console and search for IAM is search bar and select IAM service.

NOTE: IAM is a global service.

Select Users option on left panel and then click on create user.

Now, give specific user name and here we need a password to authenticate the user while logging into console. Autogenerated password is recommended and give option to user to change the password based on his own, instead of custom password.

Now let us explore the user without attaching any policies.

We haven’t added any policies under user to access.

IAMUserChangePassword will be added by default, as we given permission to change the password. Review and create user.

Once we login it will ask the user to update the password.

Here I had no permission to access any of the AWS service. As we didn’t attached any of the policy while creating this user.

Now, let us explore user by attaching the policies by go back to root user again.

Go to users tab and click the user which we need to attach the policies.

Under permissions tab click on “Add permissions”.

The new policies were added to the existing user.

Once again login through the IAM user and go through S3 and EC2 services, as we given access to the user to use the services. We can access those services fully.= as shown above.

Creating IAM Groups:

IAM Groups consists of multiple users who are required to perform similar types of operations with help of AWS services. It nothing but adding all the users and attaching the policies to define how much they can access.

Let’s see creation of IAM Group:

Select the User Group option in left plane of IAM service and click on create group.

Give a certain name to the group and we can add the IAM users.

We can add the required policies to the group from the above which are required and create user group.

We can also add the users after creating the group instead.

Similarly, we can also attach policies after creating the group.

Benefits of IAM:

• Set and manage guardrails with broad permissions, and move toward least privilege by using fine-grained access controls for your workloads.

• Manage identities across single AWS accounts or centrally connect identities to multiple AWS accounts.

• Grant temporary security credentials for workloads that access your AWS resources using IAM and grant your workforce access with AWS IAM Identity Center.

• Generate least-privilege policies, verify external and unused access to resources, and continually analyze to rightsize permissions.

Use cases:

• Create granular permissions based on user attributes—such as department, job role, and team name—by using attribute-based access control.

• Manage per-account identities with IAM or use IAM Identity Center to provide multi-account access and application assignments across AWS.

• Streamline permissions management and use cross-account findings as you set, verify, and refine policies on the journey toward least privilege.

AWS Identity and Access Management (IAM) is a crucial service for securely managing access to AWS resources. By utilizing IAM, organizations can effectively control permissions through users, roles, groups, and policies, ensuring that only authorized individuals have access to specific resources. The process of creating IAM users and groups, as well as attaching policies, allows for tailored access control that aligns with organizational needs. The benefits of IAM include setting guardrails, managing identities across accounts, granting temporary credentials, and refining permissions towards least privilege. These capabilities make IAM an essential tool for maintaining security and efficiency in AWS environments.