In this article, we will discuss about what Amazon Identity & Access Management is, how it works and its features in a summarized form.
This time, we will look into the concepts with animated graphical content so that it will be easy to understand.
What is Identity Access Management
AWS Identity Access Management (simply called as IAM) is a web service provided by Amazon through which one can securely control the access to various resources available in Amazon Web Services. IAM authenticates the users and evaluates permissions provided, to access resources.
In Amazon IAM, there are certain key actors or principals that we would need to know. They are as follows;
AWS Root User
IAM User Groups
Now lets look at each one in detail.
AWS Root User
When you create an account with AWS, you get a single sign-in identity that has access to all aws resources. This is called root user access and you can sign-in with your email and password. By signing-in with root account, you can create other users with various access levels in Identity Access Management and provide the users with necessary access levels.
In the below graphic, you could notice a root user (represented as key) tries to access resources.
AWS IAM User
An IAM user is an individual or identity with set of access permissions provided by either root user or by Admin user. When a new user is created, the new user will not have access to any of the resources by default. The admin user will need to explicitly provide access to the resources.
In the below graphics you can see new user not able to access any resources
A policy is the engine that defines the permission(s) set on AWS resources when attached user or a group or a role. When a new user is created, a policy will need to be attached to the user in order to have access to a specific resource. The same applies to group and roles as well.
The below mentioned graphics shows what happens when a user tries to access AWS resources. The user is validated if he has the right policy and permissions to access the specified resource.
IAM Groups & Roles
Lets assume you have a small company and there are 3 groups of employees working as mentioned below.
Now it will be easier to attach the policies and permissions at group level instead of individual users. Policy attached at group level will be applicable to all users in the group. You can also attach multiple policies to users or entities or groups.
You (as a root account holder) can create 3 group names in AWS and provide various user groups for different permissions. Lets us assume the following groups to the 3 levels of employees.
Managers - Admin (Have access to all resources)
Senior Developers - Team Leads ( Can create or delete only S3 buckets)
Junior Developers - Team Members (Can create S3 buckets for CANNOT delete any bucket)
As mentioned above, Admin roles will have access to all the resources. Below graphic shows admin access.
Below graphic shows that team leads have access to create S3 & delete buckets.
Below graphic shows that team leads have access to create S3 but when they try to delete buckets, IAM policy does not allow to delete.
An IAM role is similar to IAM user with specific permissions. However, instead of associating this with one person, a role is intended to be assigned to anyone who needs it. It can be assigned to user and entities as well. For example, an IAM role can be assigned to an EC2 Instance or Lambda function to perform a specific action. When a role is assigned, it provides you with temporary security credentials for your role session.
Features of IAM
The diagram shows some key features of IAM
I hope this provides a summarized view on AWS Identity & Access Management. There is more to learn on this topic in detail and I suggest to read Amazon's documentation on the same. Please provide your valuable comments on this article. Thank you.