IAM User:
IAM is a global Service. Using IAM, you can create and manage AWS Users and groups and use permission to allow or deny their access to AWS Resources.
Each user has a unique name and security credentials (username and password or access keys).
Users are granted permissions through IAM policies.
It provides multiple users with secure access to AWS resources.
IAM Policies:
IAM policies are defined as AWS permission that can be assigned to a user, group, or Role
You can create and edit a policy in the Visual Editor and using JSON (AWS Policy Generator)
Policies follow the "Principle of Least Privilege" to grant the minimum necessary permissions.
What is an IAM policy document?
An IAM policy document is a JSON document that defines permissions for AWS resources, specifying who can access them and what actions they can perform. It includes elements like Effect, Action, and Resource to control access granularly.
Types of IAM Documents
Policy Documents: These are JSON documents that define permissions and can be attached to users, groups, or roles.
Managed Policies: Standalone policies that can be reused across multiple entities.
Inline Policies: Policies that are embedded directly into a single user, group, or role.
Trust Policy Documents: Used to define which entities (users, roles, services) can assume a role.
Permission Boundaries: Policies that set the maximum permissions a role can have.
IAM Roles:
IAM Role is completely different from other IAM Users; you must grant permission for things like services that are running outside of AWS Or services for interacting with other AWS Accounts
Roles do not have their own credentials but can be assumed by authorized entities. It is the internal usage of AWS Resources.
Roles are commonly used with AWS services (Ex. EC2, Lambda) and for cross-account access.
Roles are defined with policies that specify their permissions.
Points to focus
Basic Components -- Learn about the basic components of IAM: Users, Groups, Permissions, MFA, Roles, Policies
Don't use Root and never share root access -- It is recommended to not use Root for everything, instead, create IAM users, and utilize them and never share root access with anyone, must enable Multi-Factor Authentication for Root (and for all other IAM users)
Use roles as much as possible -- Instead of creating IAM users and credentials, it's recommended, as well as a better secure way to use the IAM role if the IAM role can be used. e.g. IAM instance role, IAM service role
Use Temporary Credentials --Utilize Identity Federation when applicable, e.g. Enterprise identity federation, Web-based Federation, Cross-account Access Role, etc
Utilize IAM Credentials --Utilize Access Keys and password for AWS CLI & API Access, use IAM user for CodeCommit access
Some Important Questions!
What is the difference between authentication and authorization in AWS IAM?
Authentication is the process of verifying the identity of users or entities, while authorization is the process of granting or denying access to resources based on policies and permissions.
How can you secure your AWS account using IAM?
You can secure your AWS account by enforcing the principle of least privilege, creating strong password policies, enabling multi-factor authentication (MFA), and regularly reviewing permissions.
How do IAM users differ from IAM roles?
IAM users are individuals or entities that have a fixed set of permissions associated with them. IAM roles are temporary credentials that can be assumed by users or AWS services to access resources.
What is an IAM policy?
An IAM policy is a JSON document that defines permissions. It specifies what actions are allowed or denied on which AWS resources for whom (users, groups, or roles).
How a Root AWS user is different from an IAM User?
Root User will have access to the entire AWS environment and it will not have any policy attached to it. While IAM Users will be able to do their tasks based on policies attached to it.
What is the AWS Management Console?
The AWS Management Console is a web-based interface that allows you to interact with and manage AWS resources. IAM users can use the console to access resources based on their permissions.
How does IAM manage access keys?
IAM users can have access keys (access key ID and secret access key) associated with their accounts, which are used for programmatic access to AWS resources.
What is the Role of an IAM policy document?
An IAM policy document defines the permissions and actions that are allowed or denied. It is written in JSON format and attached to users, groups, or roles.
How can you grant permissions to an IAM user?
You can grant permissions to an IAM user by attaching policies to the user directly or by adding the user to groups with associated policies.
How can you delegate permissions to AWS services using IAM roles?
IAM roles allow you to delegate permissions to AWS services like EC2 instances, Lambda functions, and more, without exposing long-term credentials.
What is cross-account access in AWS IAM?
Cross-account access allows you to grant permissions to users or entities from one AWS account to access resources in another AWS account.
How does IAM support identity federation?
IAM supports identity federation by allowing users to access AWS resources using temporary security credentials obtained from trusted identity providers (e.g., SAML, OpenID Connect).
What is the purpose of an IAM access advisor?
IAM access advisors provide insights into the services that users accessed and the actions they performed. This helps in auditing and understanding resource usage.
How does IAM enforce the principle of least privilege?
IAM enforces the principle of least privilege by allowing you to define specific permissions for users, groups, or roles, reducing the risk of unauthorized access.
What is the difference between IAM policies and resource-based policies?
IAM policies are attached to identities (users, groups, roles), while resource-based policies are attached to AWS resources (e.g., S3 buckets, Lambda functions) to control access from different identities.
How can you implement multi-factor authentication (MFA) in IAM?
You can enable MFA for IAM users to require an additional authentication factor (e.g., a code from a virtual MFA device) along with their password when signing in.
What is the IAM policy evaluation logic?
IAM uses an explicit deny model, which means that if a user's permissions include an explicit deny statement, it overrides any allowed statements in the policy.