Tag: IAM

IAM Overview

admin

IAM (Identity Access Management)

  • It allows the management of the users and their level of access to the AWS console.
  • It gives centralized control to your AWS console.
  • We can assign Granular permission.
  • Shared access to AWS console.
  • Identity federation (You can integrate it with AD, Facebook, LinkedIn, etc.).
  • Multi-factor Authentication.
  • It also allows temporary access for users/devices and services where necessary (Web application and Mobile application)
  • You can set up your own password rotary policy.
  • Integrates with many different AWS services
  • Supports PCI DSS Compliance.
  • Critical terms
    • Users – The end users.
    • Roles – You create roles and then assign them to AWS resources.
    • Groups – A collection of users under one set of permissions.
    • Policies – documents that define one or more permissions, they can be applied to users/groups/roles. All can share the same policies. It sits on top of all.
  • IAM doesn’t have regions, it is applied universally.  It shows as Global.
  • The root account is the email address used to sign up for the AWS account and has full access.
  • MFA can be a virtual device or a physical device. For Android, it will be google authenticator.
  • Groups
    • You can create a custom group name.
    • Once the group is created you will need to attach the policy to the group.
    • The policy is pre-published by AWS.
    • Policy documents are in key-value pair (JSON) format.
  • Users
    • Users when created generates Access Key and Secret Access Key. Both are used when we connect AWS programmatically.
    • These are shown only once when you first time creates them in AWS.
    • If the keys are lost, it can be regenerated.
    • The password can be used with the email address to log in AWS console.

Permission can be directly attached to the users, so permission works for both groups and users.

Types of IAM policy

  • Managed Policy
  • Customer managed Policy
  • Inline Policy

Managed Policy

  • These are the policy created by AWS, we cannot update anything in these managed policies.

Custer managed Policy

  • Customer-managed policies are the ones created by customers, managed and updated by them. They can be attached only to their account.

Inline Policy

  • The inline policies are actually embedded within the user, group, and role to which it applies.
  • It has a strict one-to-one relationship between the entity and policy.