A huge organisation cannot create multiple user accounts with each having its AWS subscription and billing. It is also not possible to manage users and their access to different parts of the AWS console, and this is when AWS Identity Access Management or AWS IAM comes into play. In this article, you will learn everything there is to know about AWS Identity Access Management or AWS IAM.
AWS Identity and Access Management (IAM) is a web service that enables you to control the access of users to Amazon Web Services services and resources. IAM helps in the creation and management of AWS users and groups. Also, it helps in granting access to several different parts of Amazon Web Services.
Now, organisations can manage their users (employees) and their security credentials like never before. Companies can now create multiple user profiles and that too with unique security credentials. The biggest perk is that no matter how many accounts are created, the organisation can control what access to give to the employees and the billing will also be done to a single AWS account.
Identity and Access Management allows you to identify federation between the corporate directory and the AWS services. This is what enables the existing corporate identities in granting access to the resources of Amazon Web Services.
When you know the basics of AWS IAM, it is important to understand the features or the relevance of the same.
By now, you know that IAM has the infrastructure needed to govern the authentication and authorization for the account. Now, to understand the entire working of AWS Identity and Access Management, it is important to understand that infrastructure which has six elements.
Let’s have a look at these six elements along with understanding the working of AWS Identity and Access Management infrastructure.
The Principal makes a request for an operation or to take any action on an AWS resource. A principal could be a person or an application that is an authenticated AWS account root user, i.e Identity and Access Management entity to make requests.
Now, when this Principal wants to use the AWS Management Console, the AWS CLI, or the AWS API, it must send a request to AWS. There are several things that this request includes:
All of the above data is gathered in a request context and is used for evaluating and authorising the request.
Take your career to next level in AWS with HKR. Enroll now to get Aws Training
To send a request to AWS, the Principal must be authenticated using their credentials. There are AWS services like AWS STS and Amazon S3, that enable requests for anonymous users but these are just a few exceptions.
Not just authenticated, you must be authorised too to complete your request. Now, while authorization, the values are taken as a request context in the previous step are considered to check the request related policies. It is then finalised if the request will be accepted or denied.
After the authentication process, the operations or actions are approved by AWS. it includes everything that can be done with a resource like, creating, editing, or even deleting.
Now, when you know the six elements in the AWS IAM infrastructure and how they work, it’s equally important to check the components of Identity and Access Management.
AWS Identity and Access Management give you several features, like:
Now, when an organization wants to share the AWS resources with its employees, they can simply provide permission without sharing any security key or password.
The term granular permissions mean that now if you want to give provide permission to a specific person you can do that. What this exactly means is, for example, if you want to give complete access to Amazon Elastic Compute Cloud, Amazon DynamoDB, and Amazon Simple Storage Service to a specific user you can do that, while for other users you can limit it and just provide them with read-only access to S3 buckets or EC2 instances.
Want to know more about AWS ,visit here AWS Tutorial!
AWS Identity and Access Management features can be used to provide credentials to run applications of EC2 instances. The credentials are important as they provide permissions for those applications to access various AWS resources like Amazon DynamoDB tables and S3 Buckets.
The security of AWS Identity and Access Management can be increased more by enabling two-factor authentication. So, when Multi-Factor Authentication comes into play, the users not only need a password or an access key to the account, but also a securely configured code from a specific device.
Like all the Amazon Web Services, IAM is also eventually consistent. Eventually consistent means that if there is a change in a distributed database, it will be reflected in all the other data storing nodes so that all the databases are on the same page and provide the same response.
To attain high availability, Identity and Access Management replicates data across several servers among the Amazon data centres, spread across the world. The most important part is, that whenever a request to change is successfully committed and stored, that change must be replicated across the Identity and Access Management, which might take some time.
The AWS account features like AWS Security Token Service and AWS Identity and Access Management are completely free of cost unless you access some other Amazon Web Services using the above two features.
After you have understood the basics of AWS Identity and Access Management and know the relevance of it, the next necessary thing to know is the working of IAM.
Apart from the elements of infrastructure above, there are several
Components of AWS Identity and Access Management.
1. Users:
Here a user refers to an IAM user who is a resource or an identity having the associated credential and permissions. This user can be a person or just an application. Now, if you want to manage secure access to AWS services, all you need to do is create an IAM user name for every employee in the organisation.
Here a group refers to a collection of users. These groups can be used to specify permission for more than one user. Also, there are ways, if you want to give some extra permissions to any member of the group. If a new user is added to the group, that user will automatically get all the permissions and policies that are with other group members.
Here policies refer to the set of permission and controls for AWS resources. These policies are stored as JSON documents in AWS. As you know, it is the permissions that specify if a user has access to the resources.
Now, Roles is a set of permissions which focus on the actions allowed and not allowed in the AWS console. Also, Role permissions are non-permanent credentials
Top 30 frequently asked AWS Interview Questions!
By now, you would be well versed with everything you need to learn about AWS Identity and Access Management (IAM). In the beginning, you learned the basics of IAM and continued with the need of using Identity and Access Management.
After learning about AWS IAM, you have seen how it works and what are the different elements that are involved in its infrastructure. To have a firmer grip on the entire working of the same, you finally learnt the four remaining components of AWS Identity and Access Management (IAM).
Related Articles:
2. AWS vs Azure
After the approval of operations, the requests can be performed on the resources that are related to your account. These resources are objects that exist within a service.Batch starts on 28th Sep 2023, Weekday batch
Batch starts on 2nd Oct 2023, Weekday batch
Batch starts on 6th Oct 2023, Fast Track batch
AWS Identity and Access Management is a web-based service that helps users control and access its AWS resources. Using IAM, one can give access to people about resources and services.
You can use AWS IAM on mobile by using the Console app. The app is available on Android and iOS platforms.
IAM is an AWS service that is offered at no additional charge if you have paid for AWS services.
Resources in AWS IAM are objects within a service, and these mainly include users, groups, policies, and roles.