In this AWS Cloud tutorial, we are going to give a detail knowledge why AWS Cloud Engineer must know IAM and why should you use it.
What is IAM and why should you use it?
- It is a web service that is used in security into your AWS account, it allows you to ensure authentication by giving you control who can access your environment.
- In simple way control who can access your AWS environment
- You can control a user what they can do once they log in to AWS account
- It is a global service in an AWS, means it is not for some specific region.
Benefits of using IAM
- With IAM shared access to your AWS account
- Granular API level of permission
e.g. If you want to allow a user only with read-only/other permission
- Central control of your AWS account
- Identity Federation
e.g. Facebook, Active Directory, Google. The user first authenticates their credentials with FB, AD, Google or some other service and only after they have been authenticated they can actually use your services.
- Temporary credentials to users/application also offered by using IAM.
- Multifactor Authentication
- IAM is also integrated with many AWS Services
eg: EC2, Lambda, DynamoDB etc
Here you can specify granular level permissions.
- PCI/DSS compliance for card payment
- Free to use, you are charged only the resources you use.
Which are the AWS IAM components?
- Policies and permissions
- The user is the people
- Programmatic access and console access credentials
- Best practice use IAM user instead of root credentials
- Can use pre-existing policy templates to assign permissions
- By default, a newly created user has no permissions.
- Assign the same permission to a set of users automatically.
- Specify what resources are allowed to do with other resources
eg: If you want an ec2 instance to be able to write to the dynamodb table, you could create a role for ec2 instance and specify to allow to write on the table.
- Best practice – Never use credentials on an instance, instead use IAM Roles
- Users can assume a role to gain temporary access (eg: using FB credentials)
- Documents that specify a set of one or more permissions
- It is written in JSON, Which is key Value of Document
2 Types of IAM Policies
- User Policies
- Resource Policies
It allows full access to AWS services and resources but doesn’t allow the management of users and groups.
- Provide full access to AWS services and resources.