IAM Fundamentals
Learn about IAM fundamentals that we can use to securely manage authentication, authorization, and access control in AWS.
We'll cover the following...
- Why do we need IAM?
- Components of IAM
- How IAM works
- IAM policies
- Types of IAM policies
- Identity-based policies
- Resource-based policies
- IAM best practices for developers
- 1. Use IAM roles instead of long-term credentials
- 2. Apply the principle of least privilege
- 3. Use customer managed policies for precision
- 4. Leverage resource-based policies appropriately
- 5. Use IAM Access Analyzer and IAM policy simulator
- 6. Separate development, test, and production roles
- 7. Document and monitor IAM usage
- Conclusion
IAM (Identity and Access Management) is an AWS security and management service. It is a global service that helps us provide external entities with secure access to AWS services or resources within our account. It takes care of both authentication (who is accessing the AWS account) and authorization (what services or resources the authenticated entity is trying to access).
This lesson will focus on the importance of IAM, its components, operational mechanisms, and best practices.
Why do we need IAM?
When we create an AWS account, we are provided with login credentials. Using those credentials, we can log in as the root user. The root user has unrestricted access to all AWS services and resources within our account. We may need to provide different users or applications access to AWS services or resources when working with AWS. Providing them with the root user credentials is risky as it may lead to security breaches. IAM helps us provide that required access. It helps us create resources representing the requesting entities in our account and define their scope of permissions. It also helps us monitor, manage, and modify this access as required.
Components of IAM
IAM uses the following components to perform its operation:
IAM entities: These are the IAM resources to authenticate the requesting entity. These include the following:
IAM users
IAM roles
IAM identities: These are the resources that IAM uses to check the permissions scope of the requesting entity. These include the following:
IAM users
IAM roles
IAM groups
Principal: It is the user, service, or application that requests access to an IAM service or a resource. It can be both an external and an internal entity.
Other IAM resources: These IAM resources do not fall into any of the above categories. These are used for a wide range of operations related to identity and access management. These include the following:
IAM policies
Identity providers
IAM Access Analyzer
How IAM works
When an entity requests access to any AWS service or resource, that request is first analyzed by IAM. IAM checks the credentials provided by the requesting entity to authenticate it. After the entity has been authenticated, IAM analyzes the permissions granted to the entity and checks if the current request falls within that pool of permissions. Upon verifying that the entity is authorized to access the requested service or resource, IAM provides the required access.
If the requesting entity fails any of these checks, its request is denied, and an appropriate denial reason is sent as the response to its request.
...