IAM

Introduction

  • Identity and Access Management (IAM) enableing control access to AWS services and resources

  • Can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources

  • A global (Not Regional) service

Feature

  • Providing

    • Centralized control

    • Shared access to AWS account

    • Granular permissions

    • Identity Federation (ex. to a SAML IdP)

      • Create a SAML provider in IAM and create IAM role that establishes a trust relationship between IAM and the IdP that identifies the IdP as a principal (trust entity) for purposes of federation.

    • Multifactor Authorization (MFA)

    • Providing temporary access for users, devices, services

    • Can set up custom password policy (ex: password rotation)

    • Support PCI DSS compliance

  • Composition

    • Users

      • Simply people

      • Access type:

        • Programmatically accessing AWS APIs and command line

          • Access Key ID

          • Secret Access Key (only visible when creating, can be downloaded in the crendential.csv)

        • AWS console

          • Password (only visible when creating, can be downloaded in the crendential.csv)

    • Groups

      • A collection of people applying the same permissions

    • Roles

    • Policies

    • Trust Policy

      • A JSON document defining who can assume the role

  • Evaluaiton logics

    • Authenticates the principal.

    • Determines which policy to apply to the request.

    • Evaluates the policy types and arranges an order of evaluation.

    • Processes the policies against the request context to determine if it is allowed.

Related Service

  • Access Advisor - See permissions granted and last access time

  • Access Analyzer - Analyze resources that are shared with external entity

Last updated