Identity
and Access Management (IAM) manages Amazon Web Services (AWS) users and their access to AWS
accounts and services. It controls the level of access a user can have over an
AWS account & set users, grant permission, and allows a user to use
different features of an AWS account. Identity and access management is mainly
used to manage users, groups, roles, and Access policies The account we created
to sign in to Amazon web services is known as the root account and it holds all
the administrative rights and has access to all parts of the account. The new
user created an AWS account, by default they have no access to any services in
the account & it is done with the help of IAM that the root account holder
can implement access policies and grant permission to the user to access certain
services.
How IAM
Works?
IAM verifies
that a user or service has the necessary authorization to access a particular
service in the AWS cloud. We can also use IAM to grant the right level of
access to specific users, groups, or services. For example, we can use IAM to
enable an EC2 instance to access S3 buckets by requesting fine-grained
permissions.
What Does
IAM Do?
With the
help of IAM, we perform the following
IAM
Identities
IAM
Identities assists us in controlling which users can access which services and
resources in the AWS Console and also we can assign policies to the users,
groups, and roles. The IAM Identities can be created by using the Root
user
IAM
Identities Classified As
- IAM Users
- IAM Groups
- IAM Roles
Root
user
The root
user will automatically be created and granted unrestricted rights. We can
create an admin user with fewer powers to control the entire Amazon account.
IAM Users
We can
utilize IAM users to access the AWS Console and their administrative
permissions differ from those of the Root user and if we can keep track of
their login information.
Example
With the aid
of IAM users, we can accomplish our goal of giving a specific person access to
every service available in the Amazon dashboard with only a limited set of
permissions, such as read-only access. Let’s say user-1 is a user that I want
to have read-only access to the EC2 instance
and no additional permissions, such as create, delete, or update. By creating
an IAM user and attaching user-1 to that IAM user, we may allow the user access
to the EC2 instance with the required permissions.
IAM
Groups
A group is a
collection of users, and a single person can be a member of several groups.
With the aid of groups, we can manage permissions for many users quickly and
efficiently.
Example
Consider two
users named user-1 and user-2. If we want to grant user-1 specific permissions,
such as the ability to delete, create, and update the auto-calling group only,
and if we want to grant user-2 all the necessary permissions to maintain the
auto-scaling group as well as the ability to maintain EC2,
we can create groups and add this user to them. If a new user is added, we can
add that user to the required group with the necessary permissions.
IAM Roles
While
policies cannot be directly given to any of the services accessible through the
Amazon dashboard, IAM roles are similar to IAM users in that they may be
assumed by anybody who requires them. By using roles, we can provide AWS
Services access rights to other AWS Services.
Example
Consider Amazon
EKS. In order to maintain an autoscaling group, AWS eks needs access to EC2
instances. Since we can’t attach policies directly to the eks in this
situation, we must build a role and then attach the necessary policies to that
specific role and attach that particular role to EKS.
IAM
Policies
IAM Policies
can manage access for AWS by attaching them to the IAM Identities or resources
IAM policies defines permissions of AWS identities and AWS resources when a
user or any resource makes a request to AWS will validate these policies and
confirms whether the request to be allowed or to be denied. AWS policies are
stored in the form of Jason format the number of policies to be attached to
particular IAM identities depends upon no.of permissions required for one IAM
identity. IAM identity can have multiple policies attached to them.
IAM
Features
Shared
Access to your Account: A team working on a project can easily share
resources with the help of the shared access feature.
- Free of cost: IAM feature
of the Aws account is free to use & charges are added only when you
access other Amazon web services using IAM users.
- Have Centralized control over
your Aws account: Any new creation of users, groups, or any form of
cancellation that takes place in the Aws account is controlled by you, and
you have control over what & how data can be accessed by the user.
- Grant permission to the user: As
the root account holds administrative rights, the user will be granted
permission to access certain services by IAM.
- Multifactor Authentication: Additional
layer of security is implemented on your account by a third party, a
six-digit number that you have to put along with your password when you
log into your accounts.
Kindly find
some details for IAM
Policy
No comments:
Post a Comment