AWS IAM: An In-Depth Overview

What is AWS IAM?

AWS Identity and Access Management (IAM) is a global service that manages users and grants access permissions to AWS services. IAM manages users, groups, roles, and policies to control access to AWS resources. It has two main functions:

• Authentication: Verifying user identity.

• Authorization: Assigning permissions to users.

Users & Groups

Root Account

The root account is created by default and has the highest level of access. It is typically used to create IAM users and assign permissions.

Users

Users are individuals within your organization. They can be grouped together.

Groups

Groups can contain multiple users, but a group cannot contain another group.

The root account can be likened to a company director, while each IAM user is like an employee. Employees in a group inherit the permissions assigned to that group. The root account is often used to assign permissions, while IAM users perform tasks using AWS services.

Permissions

Users or groups can be granted permissions by adding policies through the AWS Management Console or using JSON strings. It's important to grant only the permissions that a user needs (principle of least privilege). For instance, a marketing group should have access only to marketing resources, while an accounting group should have access only to accounting resources.

Password Policy & MFA

Password Policy

AWS allows you to set password policies such as:

• Minimum length

• Specific character requirements

• Whether users can change their own passwords

• Requiring password changes after a certain period

• Preventing password reuse

Multi-Factor Authentication (MFA)

To protect your account, you can use multi-factor authentication methods like Google Authenticator or Universal 2nd Factor (U2F) Security Keys.

Access Keys, CLI, and SDK

You can access AWS in several ways:

• Using the AWS Management Console

• Using the CLI (Command Line Interface)

• Using the SDK (Software Development Kit)

Access Keys

AWS access keys are credentials used to verify user access to AWS resources and services via API or CLI. They consist of:

• Access Key ID

• Secret Access Key

Access keys must be kept secure and should not be shared, as they grant access to AWS resources.

CLI (Command Line Interface)

AWS CLI is a command-line tool that provides a console interface for AWS services, allowing users to interact with AWS resources via commands instead of the web interface.

SDK (Software Development Kit)

AWS SDK is a set of software tools provided by AWS to help developers integrate AWS services into their applications. The SDK supports various languages like JavaScript, Python, PHP, .NET, Ruby, Java, Go, Node.js, and C++.

IAM Roles

When interacting with AWS services, you need access permissions. Rather than providing access keys each time, IAM roles can grant access to AWS resources without using AWS access keys. In other words, IAM roles allow access to AWS resources.

Summary of AWS IAM

• User: Can access AWS resources using a username-password or access key and secret key.

• Access Key: A 20-character alphanumeric string, similar to a user ID.

• Secret Key: A 40-character alphanumeric string, similar to a password. Access key and secret key are used together for API, SDK, and CLI authentication.

• Password Policy: Defines password complexity, expiration, and other rules.

• Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring a six-digit code upon login. MFA is typically enabled for root users for added security.

• Group: A collection of users with the same permissions.

• Role: Grants IAM users permissions to access AWS resources.

• Policy: Written in JSON format, each policy defines specific permissions attached to users, groups, or roles within IAM.