Blog > What is Identity Access Management (IAM)?
Amazon Identity Management (IAM) allows its users to manage access to compute, storage, database, and application services in the AWS cloud. IAM uses access control concepts, basic concepts such as users, groups, and permissions, which get applied to individual API calls. So, it allows us to set permissions to control users can access to services, user’s actions to perform with a service, and which resources are available, ranging from virtual machines, database instances, and even the ability to filter database query results.
What is Identity Access Management (IAM)?
AWS Identity Access Management (IAM) is a web service that helps its users securely control access to AWS resources for an organization’s users. IAM also allows to control who can use AWS resources (authentication) and what resources they can use, and in what ways (authorization).
Components
Users
Using IAM allows the creation and management of AWS users and uses permissions to allow and deny their access to AWS resources.
Groups
It also allows us to create groups by creating more users, and then the rules and policies that apply to the group apply on the user level as well.
Roles
An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.
Policies
To assign permissions to a user, group, role, or resource, the user needs to create a policy, which is a document that explicitly lists permissions.
Multi-Factor Authentication
IAM provides something like OTP that the user will get when they log into their Gmail account. Multi-factor authentication is two layers of security. One layer is a password and the second layer becomes the verification code that we’ll be entering.
With AWS, the Google Authenticator application allows us to create a virtual multi-factor authentication device to create in AWS.
Security
Security is very important for Amazon web services customers. In addition to physical security to provide fine-grained access and data, locality controls Amazon web service provides the infrastructure building blocks to build sophisticated secure applications, which meet the regulatory and compliance standards.
Focus on Features and Functionality
Identity Access Management lets developers focus on the features and functionality of their application software while it does the heavy lifting on the security side of things.
- Shared access to the user’s AWS account
- Granular permissions
- Secure access to AWS resources for applications running on EC2
- Identity federation
- Free to use
- PCI DSS Compliance
- Password Policy
For instance, IAM can automatically rotate access keys on virtual machine instances, ensuring that only trusted applications and users have appropriate access at any given time. There is no additional charge for IAM, and getting started is easy.
How does IAM Work?
Principle
- An action on an AWS resource can be performed by the principle.
- A user or role can be a principle.
Request
- When a principal needs to access the AWS Console, API, or CLI, it will request AWS’s request.
Authorization
- Here, IAM uses information from the request context to check for matching policies and determine whether to allow or deny the request.
Actions
- After authentication and authorization, request, AWS approves the action
- Using actions, a user can view, create, edit and delete a resource
Resources
- A set of actions can be performed in a related resource of the user’s AWS account
- Suppose a user creates a request to perform an unrelated action, and then the request gets denied
- For example, if a user attempts to delete an IAM role and requests to access an EC2 instance for that role then the request gets denied
Author: SVCIT Editorial Copyright
Silicon Valley Cloud IT, LLC.