IAM (Identity and Access Management)
💡 Definition
AWS IAM is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
🔑 Key Concepts
- User: An entity that represents a person or service (has long-term credentials).
- Group: A collection of users. Permissions let you specify permissions for multiple users easily.
- Role: An identity intended to be assumable by anyone who needs it (e.g., an EC2 instance or a mobile app user). Has temporary credentials.
- Policy: A document (usually JSON) that defines permissions (Allow/Deny actions).
- Root User: The first identity created with the account. Has complete access.
⚙️ How it Works
- Create Users/Groups: Define identities for your team.
- Attach Policies: Assign JSON policies to Users, Groups, or Roles.
- Authentication: Users sign in via Console (password) or CLI (Access Keys).
- Authorization: AWS checks the policy to see if the request is Allowed.
🎯 Use Cases
- Granular Access Control: Give specific permissions (e.g., Read-Only access to specific S3 buckets).
- Multi-Factor Authentication (MFA): Add an extra layer of security.
- Federated Access: Allow users to log in with existing corporate credentials (SSO).
💰 Pricing Model
- Free: AWS IAM is a feature of your AWS account offered at no additional charge. You are charged only for the use of other AWS services by your users.
📝 Exam Tips (CLF-C02)
- Global Service: IAM is global; users/roles are not tied to a specific Region.
- Root User Best Practice: Secure with MFA, delete access keys, and do not use for daily tasks.
- Principle of Least Privilege: Grant only the permissions required to perform a task.
- Credential Report: Used to audit the status of credentials (passwords, MFA, access keys) for all users.
See Also: * Security Group * NACL