What is AWS IAM?

A huge organisation cannot create multiple user accounts with each having its AWS subscription and billing. It is also not possible to manage users and their access to different parts of the AWS console, and this is when AWS Identity Access Management or AWS IAM comes into play. In this article, you will learn everything there is to know about AWS Identity Access Management or AWS IAM.

What is AWS IAM - Table of Content

What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that enables you to control the access of users to Amazon Web Services services and resources. IAM helps in the creation and management of AWS users and groups. Also, it helps in granting access to several different parts of Amazon Web Services.

Now, organisations can manage their users (employees) and their security credentials like never before. Companies can now create multiple user profiles and that too with unique security credentials. The biggest perk is that no matter how many accounts are created, the organisation can control what access to give to the employees and the billing will also be done to a single AWS account. 

Identity and Access Management allows you to identify federation between the corporate directory and the AWS services. This is what enables the existing corporate identities in granting access to the resources of Amazon Web Services.


When you know the basics of AWS IAM, it is important to understand the features or the relevance of the same. 

Working of AWS IAM

By now, you know that IAM has the infrastructure needed to govern the authentication and authorization for the account. Now, to understand the entire working of AWS Identity and Access Management, it is important to understand that infrastructure which has six elements. 

Let’s have a look at these six elements along with understanding the working of AWS Identity and Access Management infrastructure. 

1. Principal

The Principal makes a request for an operation or to take any action on an AWS resource. A principal could be a person or an application that is an authenticated AWS account root user, i.e Identity and Access Management entity to make requests. 

2. Request 

Now, when this Principal wants to use the AWS Management Console, the AWS CLI, or the AWS API, it must send a request to AWS. There are several things that this request includes:

  • Actions or operations 
    Actions that the principal wants to perform. The action or operation could be in the AWS Management Console, the AWS CLI or the AWS API.
  • Resources 
    The resource object on which the operation or action is to be performed. 
  • Principal 
    Here, the information of the Principal includes the information about the entity used by the Principal to sign in. 
  • Environment Data 
    This includes information regarding user agent, IP address, time of day, and SSL enabled status.
  • Resource Data
    It involves information regarding the requested resource. For example - Amazon EC2 instance tag or DynamoDB table name.

     All of the above data is gathered in a request context and is used for evaluating and authorising the request.

Take your career to next level in AWS with HKR. Enroll now to get  Aws Training

AWS Training

  • Master Your Craft
  • Lifetime LMS & Faculty Access
  • 24/7 online expert support
  • Real-world & Project Based Learning

3. Authentication 

To send a request to AWS, the Principal must be authenticated using their credentials. There are AWS services like AWS STS and Amazon S3, that enable requests for anonymous users but these are just a few exceptions. 

4. Authorization

Not just authenticated, you must be authorised too to complete your request. Now, while authorization, the values are taken as a request context in the previous step are considered to check the request related policies. It is then finalised if the request will be accepted or denied. 

5. Actions or Operations

After the authentication process, the operations or actions are approved by AWS. it includes everything that can be done with a resource like, creating, editing, or even deleting. 

6. Resources

Now, when you know the six elements in the AWS IAM infrastructure and how they work, it’s equally important to check the components of Identity and Access Management.

Features of AWS IAM

AWS Identity and Access Management give you several features, like: 

1. Shared access to the AWS Account:

Now, when an organization wants to share the AWS resources with its employees, they can simply provide permission without sharing any security key or password. 

2. Granular permissions:

The term granular permissions mean that now if you want to give provide permission to a specific person you can do that. What this exactly means is, for example, if you want to give complete access to Amazon Elastic Compute Cloud, Amazon DynamoDB, and Amazon Simple Storage Service to a specific user you can do that, while for other users you can limit it and just provide them with read-only access to S3 buckets or EC2 instances.

  Want to know more about AWS ,visit here AWS Tutorial! 

Subscribe to our youtube channel to get new updates..!

3. Secure Access for applications running on Amazon EC2

AWS Identity and Access Management features can be used to provide credentials to run applications of EC2 instances. The credentials are important as they provide permissions for those applications to access various AWS resources like Amazon DynamoDB tables and S3 Buckets.

4. Multi-Factor Authentication (MFA)

The security of AWS Identity and Access Management can be increased more by enabling two-factor authentication. So, when Multi-Factor Authentication comes into play, the users not only need a password or an access key to the account, but also a securely configured code from a specific device. 

5. Eventually Consistent 

Like all the Amazon Web Services, IAM is also eventually consistent. Eventually consistent means that if there is a change in a distributed database, it will be reflected in all the other data storing nodes so that all the databases are on the same page and provide the same response.


To attain high availability, Identity and Access Management replicates data across several servers among the Amazon data centres, spread across the world. The most important part is, that whenever a request to change is successfully committed and stored, that change must be replicated across the Identity and Access Management, which might take some time.

6. Free of cost

The AWS account features like AWS Security Token Service and AWS Identity and Access Management are completely free of cost unless you access some other Amazon Web Services using the above two features.

After you have understood the basics of AWS Identity and Access Management and know the relevance of it, the next necessary thing to know is the working of IAM.

AWS IAM Components:

Apart from the elements of infrastructure above, there are several 

Components of AWS Identity and Access Management. 

1. Users:

Here a user refers to an IAM user who is a resource or an identity having the associated credential and permissions. This user can be a person or just an application. Now, if you want to manage secure access to AWS services, all you need to do is create an IAM user name for every employee in the organisation. 

2. Groups

Here a group refers to a collection of users. These groups can be used to specify permission for more than one user. Also, there are ways, if you want to give some extra permissions to any member of the group. If a new user is added to the group, that user will automatically get all the permissions and policies that are with other group members. 

3. Policies

Here policies refer to the set of permission and controls for AWS resources. These policies are stored as JSON documents in AWS. As you know, it is the permissions that specify if a user has access to the resources. 

4. Roles

Now, Roles is a set of permissions which focus on the actions allowed and not allowed in the AWS console. Also, Role permissions are non-permanent credentials

Top 30 frequently asked AWS Interview Questions!

AWS Training

Weekday / Weekend Batches

Conclusion

By now, you would be well versed with everything you need to learn about AWS Identity and Access Management (IAM). In the beginning, you learned the basics of IAM and continued with the need of using Identity and Access Management.

After learning about AWS IAM, you have seen how it works and what are the different elements that are involved in its infrastructure. To have a firmer grip on the entire working of the same, you finally learnt the four remaining components of AWS Identity and Access Management (IAM).

Related Articles:

1. AWS Cloudwatch

2. AWS vs Azure

3. AWS Fundamentals

After the approval of operations, the requests can be performed on the resources that are related to your account. These resources are objects that exist within a service. 

Find our upcoming AWS Training Online Classes

  • Batch starts on 9th Jul 2022, Weekend batch

  • Batch starts on 13th Jul 2022, Weekday batch

  • Batch starts on 17th Jul 2022, Weekend batch

Global Promotional Image
 

Categories

Request for more information

Ishan Gaba
Ishan Gaba
Research Analyst
Ishan is an IT graduate who has always been passionate about writing and storytelling. He is a tech-savvy and literary fanatic since his college days. Proficient in Data Science, Cloud Computing, and DevOps he is looking forward to spreading his words to the maximum audience to make them feel the adrenaline he feels when he pens down about the technological advancements. Apart from being tech-savvy and writing technical blogs, he is an entertainment writer, a blogger, and a traveler.

Faq's

AWS Identity and Access Management is a web-based service that helps users control and access its AWS resources. Using IAM, one can give access to people about resources and services.

You can use AWS IAM on mobile by using the Console app. The app is available on Android and iOS platforms.

IAM is an AWS service that is offered at no additional charge if you have paid for AWS services.

Resources in AWS IAM are objects within a service, and these mainly include users, groups, policies, and roles.