AWS Identity and Access Management (IAM)

By Jayant Sharma

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account. It is strongly recommend by Amazon that you do not use the root user for your everyday tasks, even the administrative ones. Instead, create your first IAM user. The root user credentials can be used only to perform only a few account and service management tasks.

IAM helps keep track of two-factor authentication information and authorizations. 

For example, a business owner can create “users” for as many employees as he/she has, that need to use a password or two-factor authentication. These passwords determine the permission for each user once they gain access to a system. AWS IAM controls which users are allowed in a system and what they can do when they get in.

IAM Features

AWS IAM provides you the following features:

Shared access to your AWS account

You can grant other people permission to use resources in your AWS account without having to share your password or access key.

Granular permissions

You can grant different permissions to different people for different resources. 

For example, you can only allow some users complete access to Amazon EC2 or Amazon S3 or Amazon DynamoDB etc. For other users, you can allow read-only access to just some service say S3 buckets.

Secure access to AWS resources for applications that run on Amazon EC2

You can use IAM features to securely provide credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other AWS resources. Examples include S3 buckets and DynamoDB tables.

Multi-factor authentication (MFA)

You can add two-factor authentication to your account and to individual users for extra security. With MFA you or your users must provide not only a password or access key to work with your account, but also a code from a specially configured device.

Free to use

AWS Identity and Access Management (IAM) features of your AWS account offered at no additional charge. You are charged only when you access other AWS services using your IAM users.

IAM Users

Instead of sharing your root user credentials with others, you can create individual IAM users within your account that correspond to users in your organization. IAM users are not separate accounts; they are users within your account. Each user can have its own password for access to the AWS Management Console. You can also create an individual access key for each user so that the user can make programmatic requests to work with resources in your account.

Permissions and Policies

AWS IAM helps you define what a user can do in an account. The user is also called a principal entity i.e. principal entity is a person or application that is authenticated using an IAM entity (user or role). 

Access management is often referred to as authorization. 

You can manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that when associated with an identity or resource, defines their permissions. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents.

If you manage a single account in AWS, then you define the permissions within that account using policies. If you manage permissions across multiple accounts, it is more difficult to manage permissions for your users. For this, you can use IAM roles, resource-based policies, or access control lists (ACLs) for cross-account permissions.

The figure above shows that certain type of groups are provided certain type access only.

IAM Identities

It contains users, groups, roles, policies. Lets understand them separately:

The AWS Account Root User: When you first create an AWS account, you create an account (or root user) identity, which you use to sign in to AWS. You can sign in to the AWS Management Console as the root user—that is, the email address and password that you provide when you create the account. This combination of your email address and password is called your root user credentials.
When you sign in as the root user, you have complete, unrestricted access to all resources in your AWS account, including access to your billing information and the ability to change your password. This level of access is necessary when you initially set up the account. 
However, it is recommend that you don't use root user credentials for everyday access. We especially recommend that you do not share your root user credentials with anyone, because doing so gives them unrestricted access to your account. 
For that it is necessary to create users in AWS using IAM.
IAM Groups: An IAM group is a collection of IAM users. You can use groups to specify permissions for a collection of users, which can make those permissions easier to manage for those users.
For example, you could have a group called Admins and give that group the types of permissions that administrators typically need.
IAM Roles: An IAM role is very similar to a user. It is an identity with permission policies that determine what the identity can and cannot do in AWS.
Temporary Credentials: Temporary credentials are primarily used with IAM roles, but there are also other uses. You can request temporary credentials that have a more restricted set of permissions than your standard IAM user. This prevents you from accidentally performing tasks that are not permitted by the more restricted credentials. A benefit of temporary credentials is that they expire automatically after a set period of time. You have control over the duration that the credentials are valid.