IAM ROLE IN AWS
What is IAM?
- IAM stands for Identity and Access Management
IAM is used to control
Identity: the list of users who can access your AWS resources (authentication)
Access refers to the resources and methods of use that they are authorized to utilize.
- IAM is a web services that enable you to manage users and group permissions in AWS
- It is targeted at organizations with multiple users or systems that use AWS products such as Amazon Elastic Compute Cloud, Amazon Relational Database Service, and the AWS Management Console.
Why we go for IAM?
- To avoid a security and logistical headache
- When you create an AWS account, it has permissions to do anything and everything with all the resources
- IAM Allows you to limit access as needed and gives you the peace of mind that approved people are accessing the right resources in the desired manner.
- IAM will allow us to create many users with their own security credentials and permissions; with this IAM, each user can only accomplish what they need to.
- Each user in the AWS account must have a unique set of credentials to access the console.Free to use
- IAM is provided free of cost, with fees only arising when your IAM users utilize other AWS services.
Account Root User
-IAM Best Practice: After creating an AWS account, do not use or share the Root account. Instead, create a different user with admin privileges.
-For all actions, an Administrator account can be created, with complete access to the AWS account aside from the security credentials, billing details, and password-changing capabilities.
IAM Users
-Password to access AWS services through AWS Management Console
-Access Key/Concealed Entry AWS service access key via API, CLI, or SDK
-IAM user starts with no permissions and is not authorized to perform any AWS actions on any AWS resources and should be authorized in accordance with the requirements of the job function
Different types of users have different set of permissions:
- Administrators
- System Operators
- Developers
- Administrators need to access all AWS resources like S3, EC2, ELB, AWS RDS, etc.
- Only access to Amazon Elastic Compute Cloud is required for developers.
If so, we may define each employee's permissions and create a unique user for them using IAM.
What is a Group ?
- A group consists of all IAM users within it; once permissions are defined for a group, they apply to all members of the group; even when we create a user, we still need to use groups to set permissions.
- We need to manage access for number if groups instead of managing access for every individual user.
- We can,
1. Create a Group
2. Review the Group
3. Attach policy
4. Change the Group name
5. Delete a Group
6. Adding User to the Group
Multi-Factor Authentication, or MFA:-
- MFA provides additional security by requiring users to use a password and an authentication code from an external device.
-You won't be able to log into the AWS interface and will need to contact AWS support in order to disable MFA if the MFA device malfunctions or is lost.
- MFA is especially recommended for the AWS root accounts and account with administrator permissions since they have access to all your AWS resources.
Credential Report
-A credential report that includes a list of all of the account users and the current state of each user's different credential, such as passwords, access keys, and MFA devices, can be generated and downloaded using IAM.