AWS Identity and Access Management (IAM) is a web service that enables you to securely control access to AWS resources. IAM allows you to manage who can authenticate (sign in) and who is authorized (has permissions) to use resources within your AWS account.
Key Features and Components
Users
• Individual identities (such as people or applications) that need access to AWS resources.
• Each user has unique credentials and can be assigned specific permissions.
Groups
• Collections of users that share the same permissions.
• Assigning permissions to a group automatically applies them to all users in that group, simplifying management.
Roles
• Identities that can be assumed by anyone or anything that needs them, such as AWS services or external users.
• Roles use temporary security credentials, which are especially useful for granting limited-time access to resources (e.g., an EC2 instance accessing an S3 bucket).
Policies
• JSON documents that define permissions, specifying what actions are allowed or denied on which resources.
• Policies can be attached to users, groups, or roles, and are used to enforce fine-grained access control.
How IAM Works
A user or application provides credentials to prove their identity to AWS. IAM evaluates policies attached to the identity and the resource to determine whether the requested action is allowed or denied. If authorized, the principal (user, group, or role) can perform actions like launching EC2 instances, modifying group memberships, or accessing S3 buckets.
Additional Features
- Granular permissions: Control access at a detailed level, supporting the principle of least privilege.
- Multi-factor authentication (MFA): Enhance security by requiring an additional verification method.
- Identity federation: Allow users authenticated by external systems (like Google or Facebook) to access AWS resources.
- No additional cost: IAM is free to use with your AWS account.