General IAM Concepts

• AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.
• You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
• IAM makes it easy to provide multiple users secure access to AWS resources.
• When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account.
• This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.
• IAM can be used to manage:
  1. Users.
  2. Groups.
  3. Access policies.
  4. Roles.
  5. User credentials.
  6. User password policies.
  7. Multi-factor authentication (MFA)
  8. API keys for programmatic access (CLI).
• IAM provides the following features:

  1. Shared access to your AWS account

     Each IAM user has three main components- A user-name, A password, and Permissions to access various resources.

  2. Granular permissions

     You can apply granular permissions with IAM.

  3. Secure access to AWS resources for application that run on Amazon EC2.

  4. Multi-Factor authentication

     Multi-factor authentication can be enabled/enforced for the AWS account and for individual users under the account. MFA uses an authentication device that continually generates random, six-digit, single-use authentication codes.

     You can authenticate using an MFA device in the following ways:

     • Through the AWS Management Console – the user is prompted for a user name, password and authentication code.
     • Using the AWS API – restrictions are added to IAM policies and developers can request temporary security credentials and pass MFA parameters in their AWS STS API requests.
     • Using the AWS CLI by obtaining temporary security credentials from STS (aws sts get-session-token).

     It is a best practice to always setup multi-factor authentication on the root account. The “root account” is the account created when you setup the AWS account. It has complete Admin access and is the only account that has this access by default. It is a best practice to not use the root account for anything other than billing.

  5. Identity federation

     Identity Federation (including AD, Facebook etc.) can be configured allowing secure access to resources in an AWS account without creating an IAM user account.

  6. Identity information for assurance.

  7. PCI DSS compliance. (Payment Card Industry Data Security Standard)

  8. Integrated with many AWS services.

  9. Eventually consistent.

  10. Free to use.

• You can work with AWS Identity and Access Management in any of the following ways:
  1. AWS Management Console.
  2. AWS Command Line Tools.
  3. AWS SDKs.
  4. IAM HTTPS API.

By default new users are created with NO access to any AWS services – they can only login to the AWS console. Permission must be explicitly granted to allow a user to access an AWS service. IAM users are individuals who have been granted access to an AWS account.