Search⌘ K
AI Features
Home
Courses
Master AWS Certified Cloud Practitioner CLF-C02 Exam

What is IAM?

Explore AWS Identity and Access Management to understand how it secures cloud resources by controlling who can access what. This lesson covers IAM components like users, roles, and policies, explaining how authentication and authorization ensure safe AWS service access while avoiding security risks associated with root credentials.

We'll cover the following...

IAM (Identity and Access Management) is a security and management service of AWS. It is a global service that helps us provide external entities with secure access to AWS services or resources within our account. It takes care of both authentication (who is accessing the AWS account) and authorization (which services/resources the authenticated entity is accessing).

This lesson will focus on the importance of IAM, its components, operational mechanisms, and best practices.

Why do we need IAM?

When an AWS account is created, we receive root user credentials that provide unrestricted access to all services and resources. When working with AWS, we may need to provide different users or applications access to AWS services or resources. Providing them with the root user credentials is risky as it may lead to security breaches. IAM helps us provide that required access. It helps us create resources representing the requesting entities in our account and define their scope of permissions. Along with this, it helps us monitor, manage, and modify this access as per our requirements.

Role of IAM
Role of IAM

Components of IAM

IAM uses the following components to perform its operation:

  • IAM entities: These are the  IAM resources to authenticate the requesting entity. These include the following:

    • IAM users

    • IAM roles

  • IAM identities: The IAM resources that IAM uses to check the permissions scope of the requesting entity. These include the following:

    • IAM users

    • IAM roles

    • IAM groups

  • Principal: The user, service, or application that requests access to an IAM service or a resource. It can be both an external or an internal entity.

  • Other IAM resources: These are the IAM resources that do not fall into any of the above categories. These are used for a wide range of operations that deal with identity and access management. These include the following:

    • IAM policies

    • Identity providers

    • Access Analyzer

Components of IAM
Components of IAM

How IAM works

When an entity requests access to any of the AWS services or resources, that request is first analyzed by IAM. IAM checks the credentials provided by the requesting entity to authenticate it. After the requesting entity has been authenticated, it analyzes the permissions granted to the entity and checks if the current request falls into that pool of permissions. Upon verifying that the requesting entity is authorized to access the requested service/resource, IAM provides the requesting entity with the required access.

IAM workflow
IAM workflow

If the requesting entity fails any of these checks, its request is denied, and an appropriate denial reason is sent as the response to its request.