Identity and Access Management (IAM)
Identity and Access Management (IAM) is a web service that enables Amazon Web Services or AWS customers to manage users and user permissions in AWS.
In Simple words, this service is used to design a single AWS account with multiple users or systems so that they can use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console.
Why do we need IAM?
With IAM, we can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources, users can access based on their granted permissions at the time of creation of the user using IAM service.
Without IAM, organizations with multiple users and systems must either create multiple AWS accounts, each with its own billing and subscriptions to AWS products, or all employees must share the security credentials of a single or root AWS account.
What are Users:
In AWS, we have 2 types of users. The 1st one is Root user (which has created the AWS account) and 2nd one user apart from Root user (known as IAM user) for AWS account.
Create IAM users if we want to grant other users access to our AWS account without sharing our login credentials.
How to create IAM User in AWS:
Step 1: Login to your AWS account and Go to services and search IAM from the Service Search bar.
Step 2: Click on IAM. You will get below screen. Select on Users on the left panel.
Step 3: Click on Add Users.
Step 4: Please provide all the required information like User name and access type here demo purpose, choose Access type AWS Management Console access.
Step 5: Select policies from existing policies. We have selected EC2 read only policy here. Which means for this particular user we want to give only EC2 read only permission.
Step 6: After clicking on the button Tag, it is an optional to give the name/tag to your IAM.
Step 7: Review your user creation and click Create User.
Step 8: Download your credentials.csv file
Step 9: Open Credentials.csv file. And copy and paste the URL on browser, Username and password.
Just Copy and paste console link from csv to browser and paste username and password as below
Step 10: Reset your password, as at time of creation of the user we have selected the option of changing the password during the first time login.
Step 11: Now you are login to the AWS Console.
What are Groups
IAM Groups (It’s a kind of container) make it easy to manage access for multiple users. We could e.g. create a “servers” group with permissions to spin up EC2 instances and add multiple users to this group. By this way the users in this group can create EC2 instances. Changes on permissions in this group affect all the users who belong to this group.
What are Roles
IAM Roles are very similar to users as they hold an AWS identity with permissions. IAM Roles are often used if you e.g. want to grant access to Amazon resources that the user normally doesn’t have.
Another scenario would be that if we want to grant an application access to your Amazon resources without exposing our AWS credentials.
IAM Role Lab:
We are going to create a role for EC2 service to use S3 services without creating a user.
Step 1: Search IAM from the AWS Service search bar:
Step 2: Click on Roles and Create role.
Step 3: Choose EC2 service as we are going to assign this role to EC2
Step 4: Search S3 and select AmazonS3FullAccess.
Step 5: Fill your Role Name and click on Create role
Step 6: Now launch a new instance and assign a role which we have created as above.
On this launched EC2 instance, you don’t need to run aws configure, and commands like aws s3 ls will just work (as long as AWS CLI is installed).
This is actually a better practice since you never type your security credentials on this server (which might be stolen if your server gets hacked).