Identity and Access Management in AWS
When it comes to AWS, security is crucial, just like in any other scenario. The most important aspect is who has access to what and the type of access a particular user has to a service. This is where Identity and Access Management (IAM) becomes important, and in AWS, this is managed using the service called AWS IAM. Today we will be learning on AWS IAM.
In simple terms, IAM is a framework of policies that ensures the right people in the organization have the appropriate access to resources. Every operation performed in AWS must be authenticated and authorized by IAM. This is achieved through:
IAM users
IAM groups
IAM roles
IAM users:
IAM user is an entity created in AWS to represent a person or application that interacts with AWS. By default, an IAM user does not have any permissions. Permissions are available as IAM policies, which are JSON files. An IAM policy is an object in AWS that defines the permissions of a specific entity. AWS evaluates these policies to grant or deny permissions.
IAM users can have three types of security credentials:
Username and password: Used for logging into the AWS UI.
Access keys: Consist of an access key and a secret key, allowing programmatic access to AWS through the CLI.Access keys should be kept confidential, just like passwords, and should not be shared with anyone. They will be visible only once in the UI, so make sure to copy and store them safely.
MFA: Multi-Factor Authentication can be used as an additional security layer along with the existing username and password.
When you create a new AWS account, a root user is created by default with full access to the account. However, it is not recommended to use the root account for everyday activities. Instead, use the root account to create a new user with the necessary permissions(may be admin access) and use that user for daily tasks which includes creating other users too.
Another important point to note is that AWS follows the principle of least privilege. This means each user is given only the minimum permissions needed to complete their work. This is considered a best security practice.
IAM groups:
IAM groups are collections of IAM users. For example, in your organization, you might have developers and a management team. The permissions required for each team will be different. When a new developer joins, they should have the same permissions as the other developers. Without groups, you would have to manually add all the necessary IAM policies to each new user. By creating an IAM group called "developer" and attaching all the required policies to that group, adding a new developer becomes easy. You just create the user and add them to the "developer" group. This scenario shows why IAM groups are necessary.
IAM roles:
Sometimes, an AWS service needs specific permissions. To handle this, we use IAM roles. An IAM role is similar to an IAM user, but while an IAM user is created for people, an IAM role is created for AWS services.
IAM is a global service, not region-specific. You can configure it using IAM roles and cross-account access.You can read about AWS IAM more here.
Understanding the concept of IAM is crucial for working with AWS. Everything you do in AWS, whether through the UI or CLI, depends entirely on IAM.