Get to Know AWS Identity and Access Management
Learning Objectives
After completing this unit, you will be able to:
- Explain the purpose of AWS Identity and Access Management (IAM).
- Explain the features of IAM.
Before you complete this module, make sure you complete Security in AWS Cloud. The work you do here builds on the concepts you learn in there.
In Security in AWS Cloud, you set up an AWS account and protected your AWS root user with multi-factor authentication (MFA). You’re following AWS best practices, but you can’t help but feel that you’ve steered away from your goal of building a cat photo sharing application and you’re now asking yourself:
- If I shouldn’t use my AWS root user to build and manage my AWS resources for my application, what identity should I use instead?
- If I have other users, such as developers, security experts, and additional admins, who will be helping me build my application, how can I give them access to my account without sharing credentials?
IAM solves both of these problems.
What Is IAM?
IAM is a web service that enables you to manage access to your AWS account and resources. It also provides a centralized view of who and what are allowed inside your AWS account (authentication), and who and what have permissions to use and work with your AWS resources (authorization).
With IAM, you can share access to an AWS account and resources without having to share your set of access keys or password. You can also provide granular access to those working in your account, so that people and services only have permissions to the resources they need. For example, to provide a user of your AWS account with read-only access to a particular AWS service, you can granularly select which actions and which resources in that service they can access.
Get to Know the IAM Features
To help control access and manage identities within your AWS account, IAM offers many features to ensure security.
- IAM is global and not specific to any one Region. This means you can see and use your IAM configurations from any Region in the AWS Management Console.
- IAM is integrated with many AWS services by default.
- You can establish password policies in IAM to specify complexity requirements and mandatory rotation periods for users.
- IAM supports MFA.
- IAM supports identity federation, which allows users who already have passwords elsewhere—for example, in your corporate network or with an internet identity provider—to get temporary access to your AWS account.
- Any AWS customer can use IAM; the service is offered at no additional charge.
IAM Wrap Up
In the beginning of the unit, you had two questions.
- If I shouldn’t use my AWS root user to build and manage my AWS resources for my application, what identity should I use instead?
- If I have other users, such as developers, security experts, and additional admins, who will be helping me build my application, how can I give them access to my account without sharing credentials?
IAM governs all authentication and authorization processes across an entire AWS account. You can use IAM to solve both of these problems, but you still need specific details on how. In the next unit, you learn how you can solve these issues with IAM users and groups.