Beginners Guide to AWS Identity & Access Management (IAM)

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization)^[1].

Key features

The key IAM features are,

• Provides centralized control
• IAM is universal, i.e across all regions
• Allows you to provide granular permissions to your services
• Offers Multi-factor Authentication (MFA)
• Can provide temporary access to your services
• You can create and customize your own password policies
• PCI DSS Compliant
• New users have no permissions.

Components

IAM is comprised of users, groups, roles and policies,

Users

A user is used to provide authentication into the AWS Management Console and also when using the AWS API or CLI. A user comprises of a name, a password for AWS management console login, and access keys for use with the CLI or API.

Groups

Simply put, an IAM group is a collection of IAM users.

Roles

Roles, like users provide an identity that is associated with a set of permissions (policies) to your AWS services. However, unlike users roles do not comprise of either a password or access key. The key benefits with roles is that it provides greater security over using and storing your access/secret keys on the instance (in the case of EC2).

Policies

A policy is a document that explicitly lists permissions^[2]. Within a policy what can be performed and to which resources is defined within the Action, Resources and Effect statements.
Below is an example,

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::fir3net20",
                "arn:aws:s3:::fir3net20/*"
            ]
        }
    ]
}

Resources

[1] http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

[2] http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become a certified AWS expert?

Here is our hand-picked selection of the best courses you can find online:
Ultimate AWS Certified Cloud Practitioner course
Ultimate AWS Certified Solutions Architect Associate course
Ultimate AWS Certified Developer Associate course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial