Introduction to AWS IAM — Identity and Access Management

Neal Davis
6 min readJul 22, 2024

--

AWS Identity and Access Management (IAM) is a powerful service that allows users to securely manage access to AWS resources. It is a central component of AWS security, enabling administrators to control who can access what resources and how.

AWS IAM also provides a range of features to help organizations meet security and compliance requirements, such as multi-factor authentication and role-based access control.

This guide explores the key features and benefits of AWS IAM and how it can help businesses improve their security in the cloud.

What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. Think of IAM as the control center for all AWS resources. IAM makes it easy to provide multiple users with secure access to AWS resources.

When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This identity is called the AWS account root user and is accessed by signing in with the email address and password that you used to create the account.

Key Features of AWS IAM

  1. Shared Access to Your AWS Account: You can share access without sharing your security credentials.
  2. Granular Permissions: Assign specific permissions to each user.
  3. Secure Access for Applications Running on Amazon EC2: Manage secure access for applications on EC2 instances.
  4. Multi-Factor Authentication: Enhance security with additional verification steps.
  5. Identity Federation: Integrate with external identity providers.
  6. Identity Information for Assurance: Ensure identity information is consistent and trustworthy.
  7. PCI DSS Compliance: Meet Payment Card Industry Data Security Standards.
  8. Integration with AWS Services: Seamlessly integrate with many AWS services.
  9. Eventual Consistency: Changes to IAM are eventually consistent.
  10. Free to Use: IAM is included with your AWS account at no additional charge.

How to Work with AWS IAM

You can work with AWS Identity and Access Management in several ways:

  • AWS Management Console
  • AWS Command Line Tools
  • AWS SDKs
  • IAM HTTPS API

Default User Permissions

By default, new users are created with NO access to any AWS services; they can only log in to the AWS console. Permissions must be explicitly granted to allow a user to access an AWS service.

IAM Users

IAM users are individuals who have been granted access to an AWS account. Each IAM user has three main components:

  1. A username
  2. A password
  3. Permissions to access various resources

IAM users can be assigned individual security credentials such as access keys, passwords, and multi-factor authentication devices. IAM is not used for application-level authentication. Identity Federation (including AD, Facebook, etc.) can be configured to allow secure access to resources in an AWS account without creating an IAM user account.

Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) can be enabled/enforced for the AWS account and for individual users under the account. MFA uses an authentication device that continuously generates random, six-digit, single-use authentication codes. It is a best practice to always set up multi-factor authentication on the root account.

Universal Nature of IAM

IAM is universal (global) and does not apply to regions. IAM replicates data across multiple data centers around the world. The “root account” is the account created when you set up the AWS account. It has complete Admin access and is the only account that has this access by default. It is a best practice to avoid using the root account for anything other than billing.

Temporary Security Credentials

Temporary security credentials consist of the AWS access key ID, secret access key, and security token. IAM can assign temporary security credentials to provide users with temporary access to services/resources.

To sign in, you must provide your account ID or account alias in addition to a username and password. The sign-in URL includes the account ID or account alias, e.g.:

https://My_AWS_Account_ID.signin.aws.amazon.com/console/

Alternatively, you can sign in at the following URL and enter your account ID or alias manually:

https://console.aws.amazon.com/

Authentication Methods

1. Console Password:

  • A password that the user can enter to sign in to interactive sessions such as the AWS Management Console.
  • Users can be allowed to change their own passwords.

2. Access Keys:

  • A combination of an access key ID and a secret access key.
  • Can be used to make programmatic calls to AWS.

3. Server Certificates:

  • SSL/TLS certificates used to authenticate with some AWS services.
  • AWS recommends using the AWS Certificate Manager (ACM) to provision, manage, and deploy server certificates.

User Groups

User groups are collections of users and have policies attached to them. Use groups to assign permissions to users, and follow the principle of least privilege when assigning permissions. Groups cannot be nested.

Roles

Roles are created and then “assumed” by trusted entities and define a set of permissions for making AWS service requests. With IAM Roles, you can delegate permissions to resources for users and services without using permanent credentials (e.g., username and password).

IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls.

Roles with EC2 Instances

IAM roles can be used for granting applications running on EC2 instances permissions to AWS API requests using instance profiles. Only one role can be assigned to an EC2 instance at a time. A role can be assigned at the EC2 instance creation time or at any time afterward.

Role Delegation

Create an IAM role with two policies:

  1. Permissions Policy: Grants the user of the role the required permissions on a resource.
  2. Trust Policy: Specifies the trusted accounts that are allowed to assume the role.

Wildcards (*) cannot be specified as a principal. A permissions policy must also be attached to the user in the trusted account.

Policies

Policies are documents that define permissions and can be applied to users, groups, and roles. Policy documents are written in JSON. All permissions are implicitly denied by default. The most restrictive policy is applied. The IAM policy simulator is a tool to help you understand, test, and validate the effects of access control policies.

Policy Structure

Policies consist of statements written in JSON format. Each statement includes:

  1. Effect: Specifies whether the statement allows or denies access.
  2. Action: Lists the actions that are allowed or denied.
  3. Resource: Specifies the resources to which the actions apply.
  4. Condition: (Optional) Specifies conditions for when the policy is in effect.

Comparing AWS IAM Roles, Policies, and User Groups

In AWS IAM, roles, policies, and user groups are all used to manage access to AWS resources:

  • Roles: Define permissions and access policies. Useful for granting temporary access to third-party entities.
  • Policies: Documents that define permissions for AWS resources. Attached to roles, user groups, or users.
  • User Groups: Collections of users with common permissions. Simplify managing permissions for multiple users.

AWS Security Token Service (AWS STS)

AWS STS is a web service that enables you to request temporary, limited-privilege credentials for IAM users or users that you authenticate (federated users).

Advantages of STS

  1. No need to distribute or embed long-term AWS security credentials.
  2. Provide access without defining an AWS identity.
  3. Temporary security credentials have a limited lifetime.

IAM Best Practices

  1. Lock away the AWS root user access keys.
  2. Create individual IAM users.
  3. Use AWS-defined policies to assign permissions.
  4. Use user groups to assign permissions.
  5. Grant least privilege.
  6. Configure a strong password policy.
  7. Enable MFA.
  8. Use roles for applications on AWS EC2 instances.
  9. Rotate credentials regularly.
  10. Remove unnecessary credentials.
  11. Use policy conditions for extra security.
  12. Monitor activity in your AWS account.

Interaction with IAM in Cloud Jobs

Many roles in the technology industry interact with AWS IAM. Users with Admin access manage users, user groups, and roles.

Developers make calls to AWS services using access keys. Database Admins and System Admins require appropriate roles to access and manipulate AWS resources.

AWS Certifications and IAM

IAM is the building block of AWS and appears in every AWS certification exam. Understanding IAM in depth provides a strong foundation for learning other AWS services.

Conclusion

AWS IAM is essential for managing access and ensuring security within your AWS environment. By understanding and utilizing IAM’s features and best practices, you can enhance your organization’s security posture and efficiently manage access to AWS resources.

Whether you are an administrator, developer, or in another cloud-related role, mastering IAM is crucial for working effectively in AWS.

Take Your Tech Career to the Next Level

On-demand Training — Ace your next cloud certification with our on-demand video courses and practice exams. Learn on your terms, and gain access to our extensive cloud training library with our monthly or yearly plans!

Cloud Mastery Bootcamp — Build job-ready cloud skills and unlock exciting cloud career opportunities with our live training program. Led by experienced instructors, you’ll develop hands-on experience with real-world projects in AWS, Linux, Python, Kubernetes and IaC!

--

--

Neal Davis

Founder of Digital Cloud Training, IT instructor and Cloud Solutions Architect with 20+ year of IT industry experience. Passionate about empowering his students