What is AWS IAM (Identity and Access Management)
With AWS IAM, you can control access to ensure only authorized users can use your resources. IAM gives you control over who can access your AWS services and resources based on predefined permissions. The two key concepts are “who” and “permissions.” “Who” refers to a specific identity, which can be a user, group, or role. “Permissions” refer to the policies attached to an identity that either allow or deny access to a resource. This is especially useful for large organizations where different teams need different levels of access.
What is AWS IAM?
AWS Identity and Access Management (IAM) is a service that helps you securely control who can access your AWS resources and what they can do with them. With IAM, you can easily manage permissions to ensure that only the right users can sign in and use your AWS resources.
As more companies move their infrastructure to the cloud, ensuring proper access control becomes critical for maintaining the confidentiality, integrity, and availability of sensitive data. With IAM, you can easily set up granular permissions and manage them at scale without compromising on security. This is especially important in large organizations where multiple teams may need access to different AWS resources.
When do you use IAM?
How you use IAM depends on the work that you do in AWS.
- Service user: If you use AWS services for your work, your admin will give you the necessary login details and permissions. As your tasks become more complex, you might need extra permissions. Knowing how access is managed can help you ask your admin for the right permissions.
- Service administrator: If you manage an AWS resource, you likely have full access to IAM. Your job is to decide what features and resources your users can access and then request permission changes from the IAM administrator.
- IAM administrator: If you are an IAM administrator, you handle IAM identities and create policies to control who can access what in AWS.
AWS IAM Policy
IAM policies serve as a rulebook for controlling access to your AWS resources. They define what actions can be performed on which resources by whom. By utilizing policies in conjunction with roles and groups within IAM’s framework, you can implement fine-grained controls over user activity within your cloud environment.
An IAM role is an entity that can be assigned to users, groups, or even other AWS services. This allows them to temporarily assume specific permissions, eliminating the need for individual credentials for each user. It provides a secure way of granting temporary access without compromising long-term credentials.
AWS IAM User
IAM consists of three main components: users, groups, and roles. Users are individual identities that have specific credentials (e.g., username/password) assigned by an administrator. Groups in IAM are collections of users with similar permissions, making it easier to manage access control on a larger scale. Users in an IAM group inherit the permissions assigned to that group. Additionally, users can be part of multiple groups and have permissions that extend beyond those of a single group. Roles are similar to user – you can assign specific privileges to an user or AWS resources.
IAM also supports the concept of policies which define specific permissions or actions that users or roles can perform on AWS resources. Policies can be attached directly to users or groups or associated with a role.
IAM User Group
An IAM group is a way to organize a bunch of IAM users. You can’t sign in as a group, but you can assign permissions to the whole group at once. This makes it easier to manage permissions for many users. For example, you could create a group called IAMPublishers and give it the permissions needed for publishing tasks.
Let’s take an example of AWS IAM in an organization with 6 people: Mia, Oliver, Charles, Lucas, James, and Henry.
- In Group ‘Developers’ we have Mia, Oliver and Charles. They all work together as developers so they have permissions related to their tasks.
- In Group ‘Operations’ we have Lucas and James. They work together in operation and have permissions related to their work.
- We also have ‘Audit Team’ – this group includes Charles and Lucas. Although Charles and Lucas belong to different primary groups (Developers and Operations), they also work together on audit tasks. Therefore, they are grouped under “Audit Team” as well.
- Henry is not part of any group. While it’s generally best practice to include all users in groups, it is possible to have users who do not belong to any group, like Henry in this example.
Key points to understand:
- Groups in IAM can only contain users, not other groups.
- A user can belong to multiple groups. For example, Charles belongs to both the Developers group and the Audit Team group.
- It’s possible to have users not assigned to any group, though it’s not considered best practice.
This setup allows for flexible and efficient management of user permissions based on the different roles and responsibilities within the organization.
AWS IAM Role
AWS IAM Role can be defined as a collection of permissions that grant users or services certain access rights within an AWS environment. These permissions are attached to the role rather than individual users, making it easier to manage access for multiple users with similar needs.
Roles are designed so that a set of permissions can easily be delegated to users on an individual basis. For example, instead of assigning an individual all their necessary permissions one at a time, they can be assigned a specific role that contains all the necessary permissions in a single step.
Once a role is created, it can be assigned to as many individuals as needed. This makes roles particularly useful when assigning permissions to new users or changing permissions to users who have shifted jobs within their organization.
When it comes to AWS roles vs. policies, a good rule of thumb is to remember that policies are applied to roles, which can then be assigned to individual users via roles.
Comparing AWS Account Root User Credentials and IAM User Credentials
In summary, the root user has ultimate access and should be used sparingly, while IAM users have customizable permissions for everyday use but should ideally use temporary credentials for better security.
Root User Credentials | IAM User Credentials | |
Who | The root user is the account owner, created when the AWS account is set up. | An IAM user is an entity you create in AWS to represent a person or service interacting with AWS resources. |
Access | The root user has full access to all resources in the account. | IAM users have specific custom permissions set by you. |
Usage | You can’t use IAM policies to block the root user. Only an AWS Organizations service control policy (SCP) can limit the root user’s permissions. | IAM users have long-term credentials (username and password) for accessing AWS through the AWS Management Console, AWS CLI, or AWS APIs. |
Best Practices | It’s recommended to create an administrative user for daily tasks and keep the root user credentials safe. Use the root user only for specific tasks that require it. | Avoid creating IAM users with long-term credentials. Instead, use temporary credentials and identity providers for federated access. Use IAM Identity Center for centralized access management and to handle user identities and permissions. |
Source: AWS
How IAM works
IAM provides the infrastructure necessary to control authentication and authorization for your AWS account.
Here’s how it works:
- Signing in: A person or an application signs in to AWS using their credentials (like a username and password). AWS checks these credentials to see if they match a known user or application that is trusted by your account.
- Requesting access: After signing in, a request is made to access AWS resources. For instance, when you first log into the AWS console, you haven’t accessed any specific services yet. When you click on a service, AWS checks if you are allowed to use it. It looks at the list of authorized users and any rules or policies that apply to your access level.
- Taking action: If AWS grants access, you can then do things with your AWS resources. This could include actions like starting a new server (EC2 instance), changing user permissions, or deleting storage (S3 buckets).
IAM ensures that only authorized users and applications can access and perform actions on your AWS resources.
Conclusion
AWS IAM enables admin to securely control access to their AWS resources. In simple terms, IAM allows you to control who has access to your AWS resources and what actions they can perform. It provides a centralized system for creating unique identities and defining permissions for each identity across all your AWS services. By understanding and using IAM effectively, you can keep your AWS environment secure and well-managed.
Sysbee can help you assess the current state of your IAM setup to make sure that the proper security standards are met and advise you on best practices. With our managed AWS service, you won’t have to think about IAM, we’ll make sure that everything is setup properly.