What is AWS IAM?
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. It is the core security service of AWS.
Key Concepts
1. Identities
- IAM User: An entity that represents a person or service that interacts with AWS. Long-term credentials (password / access keys).
- IAM Group: A collection of users. Permissions attached to a group render to all users in that group. Best practice for managing permissions.
- IAM Role: An identity with specific permissions that is assumable by anyone who needs it. It has temporary security credentials. Used by AWS services (e.g., EC2, Lambda) or for cross-account access.
2. Policies
- JSON documents that define permissions (Allow/Deny actions on Resources).
- Least Privilege: Always grant only the permissions needed to perform a task.
3. Root User
- The email address used to create the AWS account.
- Has complete, unrestricted access.
- Best Practice: Do NOT use the root user for everyday tasks. Create an IAM user with Admin permissions instead. Secure root with MFA.
4. MFA (Multi-Factor Authentication)
- Adds an extra layer of protection (password + security token code).
- Should be enabled for the Root User and all other users.
Exam Tips
[!IMPORTANT] IAM is a Global Service. It does not apply to a specific region. Users, Groups, and Roles are global.
[!WARNING] Never share your Root User credentials. Enable MFA on Root immediately.
[!NOTE] Authentication = Who you are. Authorization = What you can do.
Common Use Cases
- Centralized Access Control: Manage all user access from one place.
- Shared Access: Grant permissions to other users without sharing passwords.
- Granular Permissions: Allow a user to read from a specific S3 bucket but not write to it.
- Identity Federation: Allow users to log in with their corporate credentials (Active Directory) or social providers (Google/Facebook).