IAM (Identity and Access Management)

IAM → IAM (Identity and Access Management) in AWS is a service that helps you securely control access to AWS resources. It allows you to manage users, groups, roles, and permissions to ensure that the right people and services have the appropriate level of access.

We can create User - 5000

We can create Groups - 300

We can assign Roles - 1000

• Users

We have two categories of users: Root and IAM users

root -› Global Admin -› IAM Users

root users has full access. It creates global admin

Global admin has full access like root users, but it is also IAM user. It creates IAM users.

IAM users has limited access

Things to remember: Don't use the root user for everyday access/activity.

Don't share root cred with anyone.
Create an IAM user for yourself and then assign yourself administrative permission for your account.
You can then sign in as that user to add more users as needed.
IAM user can not delete root user

Shared access to your AWS account -> We can provide access without sharing our credentials and by creating IAM users
Granular permission -> root user can assign specific permissions like upload, delete, read or write to IAM users

- EC2 read, EC2 fullAccess, S3-bucket fullAccess

Secure access to AS resources for applications that run on EC2.

Users can not use the data but EC2 can fetch it.

• Steps to create IAM user

IAM - Users - Create user

Give user name - next

I want to create an IAM user - Custom password

Give password

Add user to group - next

Download .csv file

CSV file contains credentials of created user

Check IAM users at Users

Add user to group

To add IAM user in specific group follow below steps:

IAM - User group - Create user group- give name

Select users to add in group

Give permissions to user like admin/read/write

When you give administrator access to user it will become Global user

Can check created groups as below

• AD (Active Directory) - Is a directory service developed by MS that provides a centralized management of network resources, users and computers.

IAM Terms -

Principle is making Request for Authentication

Principal - User, Role, federated users or application

federated user - Users from different organisations and domains are allowed to login are called federated users

for example, login with google here xyz company is allowing google users to login.

Request - Principal is making requests for authentication
Authentication - Login username or PWD
Authorization - Permission to allow any work/action
Action/Operation - Delete, create or modification.
Resource - On which actions are performed.

e.g., EC2, VPC ,s3

IAM delegation -

Delegation is granting permission to someone to allow access to resources that you control.
Delegation involves setting up a trust between the account that owns resources (The trusting account) and the account that contains the users that need to access the resources (The trusted account)
To delegate the permission to access a resource you create an IAM role that has two policies attached

The trust Policy
The permission Policy

Permission - Permissions like S3 bucket has permissions to Put/download/create/versioning, EC2 has permissions to read/create/delete/
Policy - It is a set of permissions -› S3 full access, EC2 full access
Role - Policy is assigned to role
Principal - Role is assigned to principal

• Role and Policy

To create Role follow below steps: