Identity and Access Management (IAM)

IAM is used for security purpose, with IAM we can control entire AWS resources centrally.

IAM is global and it is free.

There are two type of users/account

1. Root User

   Root user have full permission, login with email id and password.

2. IAM User

   IAM user have limited permission, login with user name and password.

   Using IAM user, we can login to the AWS console.

   We can attach or detach policies / permission anytime.

It is not recommended to use ROOT account for daily activities or work instead use IAM user.

Multifactor Authentication (MFA)

MFA is highly recommended for ROOT account and IAM user as well. We need to setup MFA for every individual IAM user.

Open AWS page ----> Login with email id / password ----> MFA Code -----> Login to AWS Console

2 ways to Access AWS

1. Console Access

   AWS Console website (GUI)

   (Email / pwd or username)

2. Programmatical Access

   (CLI, SDK, Developer tools)

   AWS CLI need to be install

   **Login with keys (Access key & Secret key)

Key's are user specific, individual IAM user have their own key's, Every IAM user has max 2 set of keys.

IAM Groups

IAM Group is a collection of IAM user, Group under group is not possible. It is possible to attach multiple policies to the IAM user and groups also ,Max 10

We can add/remove policies to the IAM users and groups anytime.

We can not assign / create keys for the IAM Groups, keys are only for IAM users not for IAM Groups.

IAM Groups used to assign policies to the bunch of IAM users at the same time. Brand new IAM user will not have any permissions / policies attached by default.

IAM Policy

IAM Policy contains permission.

Policies / permission are written in JSON format.

Two types of Policy

1. Managed Policy

   Created and managed by AWS (Predefined Policies)

2. Inline Policy

   Create and managed by customer (Customized Policy)

--> Visual Editor / Policy Generator:- JSON code is generated automatically

** ARN : Amazon Resource Name in policies resources are identified using ARN.

IAM Roles

Roles :- Temporary access without credentials.

If we use Roles we no need to configure keys on the machines, Based on permissions that we have attached to the role those permission are available from the instance.

1 EC2 Instance can have only one role attached on the same time.

1 Role can be attached to multiple EC2 Instance at the same time.

Identity Provider / Federation / Identity Center

SSO :- Single Sign On

IAM Tags

Tags are key value pair

Tags are used for identification purpose.

Tags are helpful for doing automation in AWS.