Identity and Access Management in AWS (IAM) :
- IAM is a powerful service that allows you to control how people and programs are allowed to manipulate or use your AWS infrastructure.
- IAM uses traditional identity concepts such as users, groups, and access control policies to control who can use your AWS account, what services and resources they can use, and how they can use them.
- Through IAM you can control the access of a single user on a specific resource from a specific IP address during a specific time window.
- We can access IAM, through the following three options,
- Through the AWS Management Console.
- With the CLI ( Command Line Interface )— Using Scripting.
- Using AWS SDKs.
- We can create the following types of users in IAM,
- root users – has full privileges in the account ( Ex. Root in Linux & Administrator in Windows OS). The best practice of using the root user is only to create your first IAM user and then securely locking away the root user credentials.
- IAM users – we can create IAM users for individuals or for application purposes. IAM users can be created by principals with IAM administrative privileges at any time through the AWS Management Console, CLI, or SDKs.There is no expiration period for IAM Users; they are permanent entities that exist until an IAM administrator takes an action to delete them.
- roles/temporary security tokens – Provided for any user for a duration of time from the AWS Security Token Service (STS) that the user can access AWS Cloud services as per assigned time duration. The range of a temporary security token lifetime is 15 minutes to 36 hours.
- Roles and temporary security tokens enable a number of use cases:
- Amazon EC2 Roles—Granting permissions to applications running on an Amazon EC2 instance.
- Cross-Account Access—Granting permissions to users from other AWS accounts, whether you control those accounts or not.
- Federation—Granting permissions to users authenticated by a trusted external system.