What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service provided by Amazon Web Services (AWS) that enables you to securely control access to AWS resources. It helps you manage users and their level of access to the AWS Management Console, as well as various AWS services and resources.

Here's a detailed technical explanation of AWS IAM:

  1. Entities:
    • Users: Represent individuals or entities that interact with AWS resources. Users have associated credentials (username and password or access keys) for authentication.
    • Groups: Collections of users. Policies are attached to groups to grant permissions collectively to all members of the group.
    • Roles: Roles are similar to users but are meant to be assumed by entities such as AWS services, EC2 instances, or applications. Roles define a set of permissions, and entities assume roles to obtain those permissions.
  2. Authentication:
    • IAM supports various authentication methods, including:
      • Username and password: For console access.
      • Access keys: Used for programmatic access via AWS SDKs, CLI, or API.
      • Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring a secondary authentication factor.
  3. Authorization:
    • IAM uses policies to define permissions. A policy is a JSON document that explicitly grants or denies permissions.
    • Policies can be attached to users, groups, or roles. They define what actions are allowed or denied on which resources.
  4. Principles of Least Privilege:
    • IAM follows the principle of least privilege, meaning entities (users, roles) should have the minimum permissions required to perform their tasks. This enhances security by reducing the attack surface.
  5. Policy Elements:
    • IAM policies consist of key elements:
      • Effect: Specifies whether the policy allows or denies access.
      • Action: Describes the specific action or actions allowed or denied.
      • Resource: Specifies the AWS resource(s) to which the action applies.
      • Condition: Provides optional constraints that specify when the policy is in effect.
  6. Access Control:
    • IAM supports both identity-based and resource-based access control.
      • Identity-based access control: Controls what actions users, groups, and roles can perform.
      • Resource-based access control: Controls who can access the resource and what actions they can perform on it.
  7. Roles and Trust Relationships:
    • Roles are assumed by entities, and trust relationships define who can assume the role.
    • Trust relationships are defined using JSON and specify trusted entities (e.g., an EC2 instance or an AWS service) that can assume the role.
  8. Policy Conditions:
    • IAM policies can include conditions, allowing more fine-grained control over when policies are applied. Conditions are based on factors like time, source IP address, or the presence of MFA.
  9. Audit and Monitoring:
    • AWS CloudTrail can be used to log all IAM actions, providing an audit trail for security and compliance purposes.
    • CloudWatch can be used to set up alarms and monitor IAM-related metrics.