Identity & Access Management
Identity & Access Management (IAM) is an AWS service that allows us to configure who can access our AWS account, services, or even applications running in our account. IAM is a global service and is automatically available across ALL regions.
AWS IAM service securely controls access to AWS resources by authenticating and authorizing (giving granular permissions) the individual users, applications, or services.
Let’s learn about key IAM terms.
1. IAM User
A user is a unique identifier generated by the IAM service and recognized by all AWS services to grant access to AWS resources. A user can be a person, system, or application that requires access to AWS services. You can generate login credentials and access keys for any user in your account. Roles and policies control the scope (permissions) of a user’s access to AWS resources in your account.
2. IAM Group
A group collects IAM users with the same level of permissions to access AWS resources. You can attach or detach permissions to a group using access control policies. A group makes it easier to manage IAM users with the same level of permissions.
3. IAM Role
A role is simply a set of policies (permissions) to access AWS services. You can assign a role either to an IAM user or an AWS service such as EC2. Creating and storing roles helps to delegate access with defined permissions without sharing long-term access keys.
Difference between an IAM role and an IAM user
An IAM user has permanent credentials that can be used to interact with AWS services directly. In contrast, an IAM role does not have any credentials; hence it cannot make direct requests to AWS services. IAM roles are assumed by authorized entities, such as IAM users, applications, or other AWS services.
4. IAM Policy
An access control policy is a JSON file that defines the resource to grant access, level of access, and allowed actions. You can attach a policy to multiple users, groups, or roles to assign permissions to AWS resources.
AWS offers predefined policies that are managed by AWS. You can even create, save, and attach custom policies, as shown below
Create a custom policy using either a visual or a JSON editor
See a sample IAM policy that allows full EC2 access within a specific AWS region:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"ec2:Region": "us-east-2"
}
}
}
]
}You can have a look at many more managed policies here: Example IAM identity-based policies
How do I know if my custom policy is having the desired access permissions?
AWS offers a utility, IAM policy simulator, where you can evaluate, and validate the effects of your access control policies.
Recommended Read
- StackOverflow discussion – Difference between IAM role and IAM user in AWS
- In addition to IAM policies, AWS offers other types of policies, such as an S3 Bucket Policy, an SNS Topic Policy, a VPC Endpoint Policy, and an SQS Queue Policy. There is a helpful utility, AWS Policy Generator, that can generate either of the policies mentioned above.
- AWS IAM FAQs – must read.