top

Search

AWS Tutorials

Define AWS IAMAWS IAM (Identity and Access Management) is a web service facilitated by Amazon that helps the user in securely controlling access to the resources of AWS. IAM can be used to control who gets authenticated to sign-in and who gets the authorization (has permissions) to use the resources provisioned by AWS. An IAM role can be created with the help of AWS Management Console, AWS CLI, Tools for Windows PowerShell or IAM API.If AWS Management Console is used to create an IAM role, a wizard guides the user through the entire steps. The steps while using the Console are slightly different in comparison to other methods.  AWS IAM identitiesIAM identities are created to provide authentication to people and process in the AWS accounts.  IAM root userWhen an AWS account is created for the first time, the user signs in with a single identity which has access to all the AWS services and resources in the account. This identity is known as ‘AWS account root user’. This root user can be accessed by signing in with the email address and password that was used while creation of the account.  The root user is not recommended to be used for everyday tasks, not even the administrative ones. The root user has to be securely locked away and used only to perform specific account and service management related tasks.  IAM user The entity which is created in the AWS account is an IAM user, which represents a person or a service that uses IAM user to interact with AWS. One of the uses of IAM users is to provide people the ability to sign into their AWS Management Console to perform interactive task and programmatic request to other Amazon services with the help of an API or using the CLI.  A user has a name, a password that is used to sign into the AWS Management Console and about 2 access keys which can be used in conjunction with the API or CLI. When an IAM user is created, it can be granted certain permissions after it has been made as a member if a group which has the appropriate permission policies attached to it, or by directly attaching the policies to the user.  Permissions can be cloned from an existing IAM user which will automatically make the new user as a member of the same group, and attaches the policies to the user.  IAM group It is a collection of IAM users, which is made to specify permissions for a specific collection of users. This makes it easy to manage the permissions for those users. If a permission is assigned to a group, any user of that group automatically has the same permissions.  Conclusion In this post, we understood the different identities which can be assigned to an IAM user.AWS IAM rolesIAM role is similar to user, since it is an identity which provides permission policies which are used to determine the operations which the identity can do within AWS. A role doesn’t have any credentials, such as password or access keys attached to it. It can be uniquely associated with a user since a role is basically used to be assumed by a user for a specific task or when need. An IAM user can assume a specific role to be granted specific permissions to perform specific tasks. A role can be assigned to a federated user who can sign in with the help of an external identity provider instead of using IAM. AWS uses the details passed via the identity provider so as to determine the role that can be mapped to the federated user.An application that runs on Amazon Elastic Cloud Compute (EC2) instance and makes requests to AWS: An IAM role can be created that can be attached to the EC2 instance so as to provide temporary security credentials to the applications which run on this instance. When an application uses these credentials in AWS, it gets the ability to perform all operations that would be allowed by the policies which are attached to the role.  An application that runs on mobile and makes requests to AWS: An identity provider such as Login with Amazon, or Amazon Cognito or Facebook or Google can be used to authenticate users and map them to an IAM role. Applications can be used to provide the role with temporary security credentials which have the required permissions (based on the policies that are attached to the role).
logo

AWS Tutorials

What is IAM in AWS - Identity and Access Management

Define AWS IAM

AWS IAM (Identity and Access Management) is a web service facilitated by Amazon that helps the user in securely controlling access to the resources of AWS. IAM can be used to control who gets authenticated to sign-in and who gets the authorization (has permissions) to use the resources provisioned by AWS. 

An IAM role can be created with the help of AWS Management Console, AWS CLI, Tools for Windows PowerShell or IAM API.

If AWS Management Console is used to create an IAM role, a wizard guides the user through the entire steps. The steps while using the Console are slightly different in comparison to other methods.  

AWS IAM identities

IAM identities are created to provide authentication to people and process in the AWS accounts.  

IAM root user

When an AWS account is created for the first time, the user signs in with a single identity which has access to all the AWS services and resources in the account. This identity is known as ‘AWS account root user’. This root user can be accessed by signing in with the email address and password that was used while creation of the account.  

The root user is not recommended to be used for everyday tasks, not even the administrative ones. The root user has to be securely locked away and used only to perform specific account and service management related tasks.  

IAM user 

The entity which is created in the AWS account is an IAM user, which represents a person or a service that uses IAM user to interact with AWS. One of the uses of IAM users is to provide people the ability to sign into their AWS Management Console to perform interactive task and programmatic request to other Amazon services with the help of an API or using the CLI.  

A user has a name, a password that is used to sign into the AWS Management Console and about 2 access keys which can be used in conjunction with the API or CLI. When an IAM user is created, it can be granted certain permissions after it has been made as a member if a group which has the appropriate permission policies attached to it, or by directly attaching the policies to the user.  

Permissions can be cloned from an existing IAM user which will automatically make the new user as a member of the same group, and attaches the policies to the user.  

IAM group 

It is a collection of IAM users, which is made to specify permissions for a specific collection of users. This makes it easy to manage the permissions for those users. If a permission is assigned to a group, any user of that group automatically has the same permissions.  

Conclusion 

In this post, we understood the different identities which can be assigned to an IAM user.

AWS IAM roles

IAM role is similar to user, since it is an identity which provides permission policies which are used to determine the operations which the identity can do within AWS. A role doesn’t have any credentials, such as password or access keys attached to it. It can be uniquely associated with a user since a role is basically used to be assumed by a user for a specific task or when need. An IAM user can assume a specific role to be granted specific permissions to perform specific tasks. A role can be assigned to a federated user who can sign in with the help of an external identity provider instead of using IAM. AWS uses the details passed via the identity provider so as to determine the role that can be mapped to the federated user.

An application that runs on Amazon Elastic Cloud Compute (EC2) instance and makes requests to AWS: An IAM role can be created that can be attached to the EC2 instance so as to provide temporary security credentials to the applications which run on this instance. When an application uses these credentials in AWS, it gets the ability to perform all operations that would be allowed by the policies which are attached to the role.  

An application that runs on mobile and makes requests to AWS: An identity provider such as Login with Amazon, or Amazon Cognito or Facebook or Google can be used to authenticate users and map them to an IAM role. Applications can be used to provide the role with temporary security credentials which have the required permissions (based on the policies that are attached to the role).

Leave a Reply

Your email address will not be published. Required fields are marked *

Comments

tenzin nyima

Whoever has contributed to this article...I would like to say thank you... it has been of good help to the readers.

alvi

This blog is very helpful and informative, and I really learned a lot from it.

alvi

It is very helpful and very informative, and I really learned a lot from this article.

alvi

Such a very useful article. I would like to thank you for the efforts you made in writing this awesome blog.

Jeanne

Very useful and awesome blog!