AWS IAM (Identity and Access Management) Introduction
“AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.”
Umm.. okay?
So what this means essentially is that with IAM you can give authorization to certain users to access an AWS Service / Resource. Imagine you’re using 2 services of AWS, an EC2 Server (for running your web application) and S3, for storing files. You might want to give access to the files (and hence S3), to a marketing employee. But of course, the marketing employee has no reason to access the web server. With IAM you can create a user account and give it access only to S3.
And it gets even more granular. S3 stores files in something called buckets. You can even decide to give the user access to one bucket and deny access to another.
But wait, there’s more!
IAM also provides Identity Federation. Identity Federation allows users to login using social media accounts like Facebook, LinkedIn, etc.
It also gives you the option to use Multifactor Authentication, i.e. add an additional verification step like OTPs.
Heck, you can even give a user access to a resource temporarily! Cool, eh?
What? You want more security? Sure thing. Add a password rotation policy so the users have to change their passwords after every few days/months.
Also, the security provided is PCI DSS compliant. According to a google search, PCI DSS stands for “Payment Card Industry Data Security Standard.” I guess that speaks for itself.
Now you’re ofcourse not going to manually assign the same policies to each user. There are groups for that. Create a group and attach as many users to it as you want. And when an AWS service wants access to another AWS service, you guessed it, that’s possible too! Just create a role, attach it and give access to that resource. Easy as 1,2,3!
One last keyword to remember. Policies. Access to resources are given by creating what are called policies. A policy is simply a key value document (like a JSON), that defines what level of access to what resource is given. E.g. If you have a bucket profile-pictures, you can say that you want to give access to the bucket profile-pictures in S3, and hence all other buckets remain private.
Alright, enough is enough. Let’s do the Lab!