IAM (Identity and Access Management) in AWS

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. 

Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

IAM is a feature of your AWS account offered at no additional charge.

When you first create an AWS account, you need a single sign-in identity to access all AWS services. This identity is called the AWS account root user. You can access it by signing in with the email ID and password that you used to create the account. 

AWS IAM helps in performing the following tasks:

It is used to set users, permissions and roles. It allows you to grant access to the different parts of the AWS platform 

Also, it enables Amazon Web Services customers to manage users and user permissions in AWS 

With IAM, Organizations can centrally manage users, security credentials such as access keys, and permissions

IAM enables the organization to create multiple users, each with its own security credentials, controlled and billed to a single AWS account

IAM allows the user to do only what they need to do as a part of the user’s job

Shared access to your AWS account: You can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.

Granular permissions: You can grant different permissions to different people for different resources.

Secure access to AWS resources: You can use IAM features to securely provide credentials for applications that run on EC2 instances. These credentials provide permissions for your application to access other AWS resources.

Multi-factor authentication (MFA): You can add two-factor authentication to your account and to individual users for extra security.

Identity federation: You can allow users who already have passwords elsewhere

Identity information for assurance: You receive log records that include information about those who made requests for resources which is based on IAM identities.

PCI DSS Compliance: IAM supports the processing, storage, and transmission of credit card data by a merchant or service provider, and has been validated as being compliant with Payment Card Industry (PCI) Data Security Standard (DSS).

Integrated with many AWS services: There are a number of AWS services that work with IAM.

Eventually Consistent: IAM achieves high availability by replicating data across multiple servers within Amazon’s data centers around the world. The change is committed and safely stored when you request for some modification.

Free to use: When you access other AWS services using your IAM users or AWS STS temporary security credentials, only then you will be charged.

Users – Create individual users.

Groups – Manage permissions with groups.

Permissions – Grant least privilege.

Auditing – Turn on AWS CloudTrail.

Password – Configure a strong password policy.

MFA – Enable MFA for privileged users.

Roles – Use IAM roles for Amazon EC2 instances.

Sharing – Use IAM roles to share access.

Rotate – Rotate security credentials regularly.

Conditions – Restrict privileged access further with conditions.

Root – Reduce or remove use of root.