AWS Identity and Access Management (IAM) is an essential service helps you securely control access to AWS resources or services. You can use IAM to control who and what a user or service can do in your account. That also means you authenticate and authorize what goes on in your account using the IAM. How cool?
You can also grant other people permission to administer and use specific resources in your AWS account without having to share your password or access key. Thus, you can refer to the AWS IAM as another service that is very crucial to your account and application security.
Benefits of AWS IAM
With AWS IAM, you can grant different permissions to different people for different resources. For example, you can allow some users write access to Amazon EC2, AWS S3, Amazon Redshift, and other AWS services. However, you can allow read-only access to S3, or to access your billing information but nothing else for other set of users,.
Free to use
AWS IAM and AWS Security Token Service (AWS STS) are features of your AWS account offered at no additional charge. You are charged only when you access other AWS services using your IAM users or AWS STS temporary security credentials.
Secure access to AWS resources for applications that run on Amazon EC2
You can use IAM features to securely provide credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other AWS resources. Examples include S3 buckets and DynamoDB tables.
Multi-factor authentication (MFA)
You can add two-factor authentication to your account and to individual users for extra security. With MFA you or your users must provide not only a password or access key to work with your account, but also a code from a specially configured device.
API Keys for programmatic (CLI) Access : These are special credentials required for accessing AWS resources via the command line interface (CLI).
You can allow users who already have passwords elsewhere—for example, in your corporate network or with an internet identity provider—to get temporary access to your AWS account. This is a way of authenticating users using a third party provider.
Identity information for assurance
If you use AWS CloudTrail, you receive log records that include information about those who made requests, created or modified resources in your account. That information is based on IAM identities.
PCI DSS Compliance
IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider. It also has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
SOME COMPONENTS OF AWS IAM
An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS service. A user in AWS consists of a name and credentials. The credential can be a secret access key, access ID, or a strong password.
In AWS IAM, a group is a collection of IAM users that can perform similar actions of any service. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users. For example, you could have a group called Admins and give that group the types of permissions that administrators typically need. Therefore, any user in that group automatically inherit the permissions that are assigned to the group.
An IAM role is intended to be assumable by any AWS user or service who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. Also learn how to create an AWS IAM role.
Temporary Security Credentials
You can also use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. You can configure an STS to be valid for only few minutes, or it can last for hours. It also implies you do not need to rotate STS credentials. Also, the credentials are temporarily generated, and not stored with the users.
Principle of least Privilege
This means to give a user or service only the rights/access to the AWS services and resources they need to do their job and nothing more. It is an importance security practice when it comes to securing your any cloud infrastructure.
The principal is the AWS account or service that can access or carry out an action on a service. For example, a user with Admin role can be the principal with an IAM STS AssumeRole to access an S3 bucket. You can use the trust policy to define which principals can assume a role, and under which conditions. Also, You cannot use a wildcard (*) in the
Principal element in a role’s trust policy. However, using :root in your principal should be avoid too. The :root gives access to all users in that aws account to the resource or service.
A Trust Entity is a service or account that you give a permission to assume a role with STS credential to a service.
The service role is the role that a service assumes to perform an action on behalf of a user. Meanwhile, a service linked-role is a type of service role that is linked to an AWS service.
In this article, we talked about the components of AWS Identity and Access Management IAM service. I have a post on how to create AWS IAM role. You should check it out too.