AWS Identity and Access Management(IAM)

            
 

            

        

          

       
          

          
Demo on Assigning Users to Groups and Policies using IAM in AWS

         

         
              
                  
           
          
 





    

        
Managing Secure Access to AWS Resources

    


    

        
What is IAM?

        

            AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. It is the fundamental security layer of the AWS Cloud.
        

    


    

    

        
Core IAM Concepts

        
        

            

                
IAM Users

                
An IAM user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user consists of a name and credentials.

            

        


        

            

                
IAM Groups

                
An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

            

        


        

            

                
IAM Policies

                
A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Policies are stored in AWS as JSON documents.

            

        


        

            

                
IAM Roles

                
An IAM role is an identity you can create in your account that has specific permissions. Unlike a user, a role does not have unique long-term credentials (password or access keys). Instead, it is "assumed" by anyone who needs it, providing temporary security credentials.

            

        

    


    

        

            
Steps to Assign Users and Policies to Groups

            
Follow these steps to implement the "Principle of Least Privilege" by managing access via groups:

            
    
                
  1. Create a Group: In the IAM Console, navigate to 'User Groups' and create a new group (e.g., "Developers" or "Admins").
    2. 
                
  2. Attach a Policy to the Group: During or after group creation, select the permissions (JSON policies) you want the group to have. For example, attach the AmazonS3ReadOnlyAccess policy.
    3. 
                
  3. Create or Select Users: Navigate to the 'Users' section and create new IAM users or select existing ones.
    4. 
                
  4. Add Users to the Group: Select the users and choose 'Add to group'. These users will now automatically inherit all permissions attached to that group.
    5. 
                
  5. Verify Access: Ensure that the users can perform the actions defined in the group policy but are blocked from actions not explicitly permitted.
    6. 
            

        

    


    

    

        
IAM Use Cases

        

            

                

                    
Granular Permission Control

                    
Assigning different levels of access to different departments. For example, allowing the Marketing team to access S3 buckets while restricting the Finance team to billing data only.

                

            

            

                

                    
Cross-Account Access

                    
Using IAM Roles to allow a user in one AWS account to access resources in another AWS account without sharing long-term credentials.

                

            

            

                

                    
Application-to-Service Access

                    
Assigning an IAM Role to an EC2 instance so that an application running on that server can securely call other AWS services (like DynamoDB) without hardcoding secret keys in the code.

                

            

            

                

                    
Multi-Factor Authentication (MFA)

                    
Enforcing MFA for all users, especially those with administrative privileges, to add an extra layer of security beyond just a username and password.

                

            

        

    


    

        
Best Practice Tip

        

            Always follow the Principle of Least Privilege (PoLP). Only grant users the minimum permissions they need to perform their job. It is much safer to add permissions later than to grant too much access at the start.