An Introduction to AWS IAM

Published by Saurabh Dashora on

AWS IAM is one of the core services available in Amazon Web Services. IAM stands for Identity and Access Management. In other words, it means the users of AWS.

Basically, AWS IAM is responsible for handling the security of your AWS environment. Every service in AWS uses IAM for its security needs.

In this post, we will understand the various aspects of AWS IAM.

And in the next post in this series, we will access Identity and Access Management in our AWS Console and create users for our AWS environment.

Overview of AWS IAM

IAM or Identity and Access Management is divided into the following parts:

aws iam building blocks

Users

The first and the most basic component of IAM are the users. A user is a physical person.

Basically, all of us are qualified to be users. Each user gets a separate account in IAM. Moreover, this account should not have root privileges.

The root account or user is the most powerful user. It is the user that was used to create a new AWS Account.

Groups

The next core component of IAM are the groups.

Basically, a group is a collection of users. A group can be anything you want for your AWS environment. However, in a usual application area, groups are based around the function its members are supposed to execute.

For example, there could be an admin group, a devops group and so on.

A group can also symbolize a team. For example, the engineering team or the design team.

The use of groups is to share permissions between a set of users. You can assign particular permissions to a group and all the users belonging to that group will automatically inherit those permissions.

Roles

Another important component of AWS IAM are roles.

Roles are basically assigned to a machine and are used for internal purposes within AWS resources. In this way, they have a strong distinction from users.

A user is for a person whereas role is for a machine.

Policies

Policies are the last component of the AWS Identity and Access Management. They are a key component that binds user, groups and roles together.

Policies are nothing but JSON documents. They define what each of the building blocks of IAM (namely, users, groups and roles) can or cannot do.

As a user, one can write their own policies. However, AWS also contains many default policies that can be directly applied to one of the building blocks.

Important Points for IAM

There are some important pointers with regards to AWS IAM:

  • IAM or Identity Access Management has a global view. Basically, in AWS you can select a particular region to run your resources. And that resource is always tied to that region. However, a building block you create in IAM is available globally.
  • Permissions is IAM are governed using Policies. A policy is basically a JSON document that specifies what can or cannot be done by the object to which the policy is assigned.
  • You can enable Multi Factor Authentication using AWS IAM. I strongly recommend setting MFA for the root account. This is because a root account is like God mode and if someone gets the credentials for it, they can do a lot of damage.
  • While assigning permissions to users in IAM, it is best to follow the principle of least privilege. Every user/group/role should get the minimal amount of permission they require to carry out their tasks. It is important to avoid overpowering a single user or server in the organization.

Golden Rules about AWS IAM

As an AWS admin, it is best to follow the below rules while dealing with Identity and Access Management.

  • ONE IAM User per Physical Person. Basically, DO NOT share an account between multiple users.
  • ONE IAM Role per Machine.
  • NEVER ever share your IAM Credentials with anyone.
  • NEVER write your IAM Credentials in a piece of code. If someone gets their hands on your credentials, they can do a lot of damage such as mining bitcoin using your account with you ending up with $20K bill.
  • NEVER use the ROOT Account except for initial setup.
  • NEVER use the ROOT IAM User’s credentials.

Conclusion

As you can see, AWS IAM or Identity and Access Management is an extremely important service of Amazon Web Services.

Basically, it forms the backbone of AWS as a whole. Everything you do in AWS uses IAM in some form or another.

In the next post in this series, we will take a more hands-on approach and create a new IAM user using AWS Console. So stay tuned.

Happy Learning!

Categories: AWSBlog
Tags:

Saurabh Dashora

Saurabh is a Software Architect with over 12 years of experience. He has worked on large-scale distributed systems across various domains and organizations. He is also a passionate Technical Writer and loves sharing knowledge in the community.

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Blog

How to use the NestJS ArgumentsHost Class?

The ArgumentsHost class in NestJS is a special class that lets you access the arguments (parameters) of a route handler method. This includes the request, response and other contextual information. Over my time in developing Read more…

Blog

How to create Multiple Routes with NestJS Controller?

NestJS provides a cool feature where we can create multiple routes with the same NestJS Controller. What’s the use of such a feature? Let’s say you want to change the route name for a particular Read more…

Blog

A Guide to Logging in Go Web Server with Zap

When you are developing a web application, it’s important to understand what’s going on behind the scenes. Logging plays a critical role in providing insights into your web server’s activities and help you identify issues, Read more…