AWS IAM - Identity and Access Management

AWS Identity and Access Management (IAM) is a service that enables secure access control across AWS resources. It helps organizations define who can access AWS resources and what actions they can perform. IAM allows managing users, groups, policies, and roles efficiently while enforcing security best practices.

AWS Identity and Access Management (IAM) is a service that enables you to manage users, groups, roles, and permissions securely in AWS. It controls who can access AWS resources and what action they can perform.

Key Features of AWS IAM

• Granular Access Control:

Fine-Grained permissions determine user access.

Allows precise control over who can do what in AWS.

• Role-Based Access Control:
  Users, Groups, and Roles to structure permissions.

• Supports Users, Groups, and Roles:

Organizes access management efficiently.

• Policy-Based Permissions:
  Users JSON-based Policies to define access.

• Multi-Factor Authentication (MFA):
  Enhances security by requiring an extra authentication Step.

• Federated Access:
  Allows users from Active Directory, Google, or SAMl to sign in.

• AWS Organizations Integration:
  Manages IAM across multiple AWS Accounts.

• No Additional Cost:

IAM is free, and users only pay for the AWS resources they use.

Key IAM Components

IAM Users:

• Represents an individual or application needing access to AWS.

• Can have passwords for AWS Console and Access keys for API/CLI

• Should be assigned only necessary Permissions.

IAM Groups:

• A collection of IAM Users with shared Permissions.

• Simplifies permissions management (e.g., "Admins", "Developers", "Operations")

• Users inherit policies attached to the group.

IAM Policies:

• JSON-Based rules that define permissions for users, groups or roles.

• Policies follow by default but can explicitly Deny Actions.

• Two Types of Policies:

• AWS Management Policies: Predefined by AWS

• Customer Managed Policies: Created by user for fine-grained control.

IAM Roles:

• Temporary identities assumed by AWS Services, Applications, or External Users.

• Ideal for EC2, Lambda, or cross-account access without using credentials.

• Uses Trust policies to define which entities can assume the role.

IAM Identity Center (AWS SSO):

• Provides Single Sign-On (SSO) for multiple AWS Accounts.

• Supports integration with Active Directory, Google, Okta, SAML and more.

How IAM Works

Authentication:

• The User/Service must prove its identity using credentials or roles.

Authorization:

• IAM checks policies to determine if the request is allowed or denied.

Access Granted or Denied:

• If the action is allowed, AWS executes the request otherwise it's denied.

Types of IAM Policies

Policy Type	Description
Managed Policies	Predefined policies by AWS
Customer Managed Policies	User-Created Policies for customized access control
Inline Policies	Embedded directly to the user, group, or role.

Best Practices for AWS IAM

• Use IAM Roles instead of Long-Term Credentials - Avoid static access keys.

• Apply the Principle of Least Privileges - Grant only necessary permissions.

• Enable Multi-Factor Authentication (MFA) - Adds an extra layer of security.

• Monitor IAM Activity with AW CloudTrail - Track changes and unauthorized access.

• Rotate Credentials Regularly - If access keys are required, rotate them frequently.

• Use IAM Conditions for Extra Security - Restrict access by IP address, MFA status, or time.