What is IAM user?
AWS IAM is at the heart of AWS security because it allows you to control access by creating users and groups, assigning specific permissions and policies to specific users, managing Root Access Keys, configuring MFA Multi-Factor authentication for added security, and much more. And, to top it all off, IAM is completely free to use!
AWS Identity And Access Management
IAM is a preventative security measure.
It has the ability to create and manage AWS users and groups, as well as use permissions to grant and deny access to AWS resources.
IAM is concerned with four concepts: users, groups, roles, and policies.
It manages centralized and fine-grained API resources, as well as a management console.
You can control which operations a user or role can perform on AWS resources by specifying permissions.
Access to the AWS Management Console, AWS API, and AWS Command-Line Interface is provided by the IAM service (CLI)
AWS IAM — Key Features
We should consider IAM to be the first step toward ensuring the security of all your AWS administrations and assets.
Confirmation
AWS IAM enables you to create and manage characters such as clients, groups, and jobs, allowing you to issue and enable verification for assets, individuals, administrations, and applications within your AWS account.
Approval
In IAM, access to executives or approval is comprised of two critical segments: Policies and Permissions.
Fine-grained consents
Consider this: you need to give the business group in your organization access to charging data, but you also need to give the engineering group full access to the EC2 administration and the marketing group access to specific S3 pails. You can design and tune these consents using IAM to meet the needs of your clients.
Common admittance to AWS accounts
Most organizations have multiple AWS accounts and must occasionally designate access between them. IAM allows you to do this without sharing your credentials, and AWS recently released ControlTower to further streamline multi-account designs.
AWS Organizations
You can use AWS Organizations to divide accounts into gatherings and assign consent limits for fine-grained control over multiple AWS accounts.
Personality Federation
In many cases, your organization should combine access from other character providers, such as Okta, G Suite, or Active Directory. Identity Federation, a component of IAM, allows you to do this.
IAM users
IAM users can be individuals, systems, or applications that require AWS services.
A user account is made up of a unique name and security credentials such as a password, access key, and/or multi-factor authentication (MFA).
IAM users only need passwords when they access the AWS Management Console.
IAM policies
IAM Groups are a way to assign permissions to your organization's logical and functional units.
IAM Groups are a tool to help with operational efficiency, bulk permissions management (scalable), and easy permission changes as individuals change teams (portable)
A group can have many users, and a user can be a member of multiple groups.
Groups cannot be nested; they can only contain users and not other groups.
IAM Roles
An IAM role, like a user, is an AWS identity with permission policies governing what the identity can and cannot do in AWS
For specific access to services, you can authorize roles to be assumed by humans, Amazon EC2 instances, custom code, or other AWS services.
Roles do not have standard long-term credentials associated with them, such as a password or access keys; rather, when you assume a role, it provides you with temporary security credentials for your role session.
AWS IAM Access Analyzer
Do yourself a favor and start using the IAM access analyzer for organizational security if you have two or more AWS accounts. The access analyzer displays all AWS resources that are accessible outside of your AWS organization.
IAM Access Analyzer continuously monitors resource policies for changes, removing the need for infrequent manual checks to catch issues as policies are added or updated.
It enables you to create a comprehensive report for all of your AWS assets that can be accessed publicly by utilizing Access Analyzer.
Access Analyzer is a component of Amazon's Provable Security endeavor to achieve the highest levels of security utilizing mechanized reasoning innovation and scientific reasoning.