Introduction

As organizations increasingly move their infrastructure to the cloud, managing authentication and authorization becomes a foundational security aspect. AWS provides various services and tools to control who can access what, and under which conditions. AWS Identity and Access Management (IAM) is at the core of this, which enables fine-grained control over access to AWS resources. By defining who can authenticate and what they are authorized to do, IAM helps enforce least-privilege access, reduce the risk of unauthorized activity, and support compliance with organizational and industry security standards.

In this section, we’ll discuss IAM services used to implement the required secure access for our account and other services that assist us in managing the AWS accounts.

We'll begin by exploring the fundamentals of AWS Identity and Access Management (IAM), focusing on how IAM policies control access to AWS resources. From there, we'll examine IAM roles and how they're used by applications, including how temporary credentials are issued through AWS Security Token Service (STS). We'll also explore AWS security tools, IAM Access Analyzer and CloudTrail to monitor and audit access. Next, we'll look at bearer tokens such as OAuth access tokens or JWTs for temporary, scoped access to AWS services, and then cover identity federation using Amazon Cognito to enable external users to securely access our applications. We'll wrap up the section by discussing how to manage identity and access across multiple AWS accounts using IAM features and supporting services.