What is IAM in AWS?
Identity and Access Management a.k.a IAM is an AWS global service used to manage -
- Users
- Groups
- Roles
- API Keys
- IAM Access Policies
and it provides access and permissions to AWS resources — AWS EC2, S3, etc. As the name suggests, it manages the ‘identity’ or Authentication part of your users and the ‘access management’ or Authorization part of the resources and services available in your account.
AWS provides a dedicated dashboard for the IAM service.
If you take note, at the top right corner of the dashboard it says Global i.e. creating a user/group/role will apply to all regions in your account.
To create a user, click on Users link in the left side tree of the dashboard.
This will open up the Users page and you can add a user by clicking Add users button and adding details.
By default any new IAM account created with NO access to any AWS services(non-explicit deny)
It is always a best practice to follow the concept of Grant Least Privilege — grant only a defined set of permissions necessary for an entity to perform its designated task.
IAM Policies: A policy is a document that formally states one or more permissions.For eg: IAM provides some pre-built policy templates to assign to users and groups
- Administrator access: Full access to AWS resources.
- Power user access: Admin access except it doesn’t allow user/group management.
- Read only access: As name suggest user can only view AWS resources.
Default policy is ‘explicitly deny’ which will override any explicitly allow policy.
You can take a look at some of the policies by navigating to the Policies page in the IAM dashboard.
For eg, the AWS-managed Administrator access policy has the following JSON body -
We can create our own custom policy using a policy generator -
or writing it from scratch -
Here is one sample policy where it denies access to all resources to an EC2 instance
Some of the key points of policies in general are -
- More than one policy can be attached to a user or group at the same time
- Policy cannot be directly attached to AWS resources(eg: EC2 instance)
- There is a really nice tool https://policysim.aws.amazon.com which we can use to test and troubleshoot IAM and resource-based policies.
Thanks for reading.