12_IAM Overview and Best Practices

AWS Identity and Access Management (IAM)

IAM supports authenticating and securing access to cloud resources.

Authentication vs. Authorization

• Authentication: Verifying the identity of who is trying to gain access.
• Authorization: Determining what a user or application is allowed to do after authentication.
• IAM controls both authentication and authorization to AWS resources.

IAM Features

• Integrated with most AWS services.
• Supports federated identities (e.g., Microsoft Active Directory).
• Supports Multi-Factor Authentication (MFA), requiring a secondary authentication code.
• Enables granular permissions based on the principle of least privilege.

IAM Terminology

• IAM Resources: Things stored in IAM (users, groups, roles, policies, identity provider objects).
• IAM Entity: IAM resource used to authenticate (users and roles).
• IAM Identity: IAM resource that can be authorized (users, roles, and groups).
• Principles: People and applications that sign in and make requests to AWS.

IAM Users

• IAM users can sign in to AWS.
• Policies attached to users define their permissions.
• Users can be put into groups, with policies attached to the group to define permissions for all users in the group.

IAM Roles

• Roles are similar to users but are not uniquely identified with someone.
• Roles are assumed by those who need them.
• When a role is assumed, temporary security credentials are provided, valid only for a limited time or session.

IAM Security Credentials

• Username and Password: Used to log in to the AWS Management Console.
• AWS Access Key:
  • Combination of an access key ID and a secret key.
  • Used for AWS Command Line Interface (CLI) commands and programmatic calls to AWS.

Best Practices for Securing Access

• Opt for temporary credentials whenever possible.
• Rotate access keys if longer-term credentials are required.
• Use AWS Organizations to group accounts and control resources centrally.
• Use AWS CloudTrail to audit activity on AWS accounts.

Root User Protection

• The root user has complete access to all AWS services and resources.
• Limit its use and monitor activity.
• Create a separate IAM user for day-to-day administrative tasks.

Managing User Permissions

• Add users to groups and attach policies to the groups.
• IAM users in a group inherit permissions from the group.
• Use IAM roles to grant temporary credentials.

Key Takeaways

• Don't use the root account for day-to-day administration.
• Attach policies to groups and add IAM users to the groups for long-term credentials.
• Use roles to provide temporary security credentials and grant permissions.