AWS SERIES :- 2. IAM what it is?

AWS SERIES :- 2. IAM what it is?

Introduction of IAM

IAM is short name given to the AWS identity and access management service.

It is a webservice provided by AWS which is used to securely control the access to AWS resources. It is more of like security and authentication service to grant access to the resources so that they can be used and manipulated by only authorized person.

With IAM we can manage our resources and control the resources so that any specific user can access only those resources which they have permission to use. IAM is used to decide who is authenticated and authorized to use the resources.

IAM features

IAM provides us with following important features

  1. Shared access to AWS

    Using AWS IAM we can provide access of our account to other users without sharing password of our account. We can provide them access to administer and access the resources.

  2. Granular Permission

    We can grant different permission to different user for different resources. for example for one user we can grant complete access for other we grant read only and some other will have only billing related access.

  3. Secure access to resources running on EC2.

  4. Multi factor authentication.

Accessing IAM

we can access IAM through any of the following way

  1. AWS management console

  2. AWS command line tool

  3. AWS SDK

  4. IAM query API

Uses of IAM

  1. While performing different job function.

  2. Authorize to access AWS resources.

  3. Create Permission and Policies etc.

IAM provides a way to perform authentication and authorization in aws.

How IAM works?

IAM works in the following manner,

First a user or an application is authenticated using its credentials then this user ask a permission for the resource. The access is granted in the the response of authorization request. Once authorized the user and take action or perform operation on resources on AWS account.

Important terms in IAM

IAM Resource

IAM resources are stored in IAM. You can add, edit, and remove them from IAM.

  • user

  • group

  • role

  • policy

  • identity-provider object

IAM Entity

IAM resources that AWS uses for authentication. Entities can be specified as a Principal in a resource-based policy.

  • user

  • role

IAM Identity

An IAM resource that can be authorized in policies to perform actions and to access resources. Identities include users, groups, and roles.

Principals

A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS. Principals include federated users and assumed roles.

Human users

Also known as human identities; the people, administrators, developers, operators, and consumers of your applications.

Workload

A collection of resources and code that delivers business value, such as an application or backend process. Can include applications, operational tools, and components.

Important components of IAM

Important components that we need to understand for better overview of IAM are:

  1. User

  2. Policies

  3. Groups

  4. Roles

User:- IAM user is simply a user created for an specific purpose and the do not have root access. For example you have an application hosted on the AWS and a new person joins your team in company and he ask you for access of application so that he can work on it , you will simply created a new user for him in the same account and give him credential to use it.

Policies:- Policies are simply the access granted to the users. Only creating user will not help us in any way we need to attach policies to the user created, Like read only or full access or any other type of access. If we don't want to policies created by default by AWS we can create our own custom policy.

Groups:- Groups or IAM groups are created to have all commonly used policies by a particular set of people at one place. For example if we are working in a company then we must have three major set of worker Dev, QA and Tester so we create three groups one for each and attach the policies commonly required by dev to group dev similarly to QA and Tester. This will help us to improve efficiency because each day we can encounter multiple user request if we attach the policies manually it will take much of time but if we have group created then we can attach that user to that particular group.

Roles:- IAM roles are less or more similar to Users but they are temporary.

When we create an IAM user AWS will automatically assign a policy to change password to that user.

Do not access as root user in any case it is very dangerous because it can have several unwanted impact on the application hosted if some one unknowingly or unauthorized change anything.

This blog gives you much needed overview of IAM, if you need to deep dive please use the documentation provided by AWS.