2.6.1. AWS Identity and Access Management (IAM)
š” First Principle: AWS IAM provides granular control over who can access AWS resources and what actions they can perform, ensuring secure and auditable management of your cloud environment.
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to manage users and their permissions to use AWS services and resources.
Key Characteristics of AWS IAM:
- Centralized Control: Manage access to all your AWS resources from one place.
- IAM Users: Represents individual people or applications. You create IAM users in your AWS account and assign them permissions.
- IAM Groups: Collections of IAM users. Simplifies permission management by attaching policies to a group, granting the same permissions to all users within it.
- IAM Roles: Secure IAM identities that grant temporary permissions. Used by AWS services (e.g., an EC2 instance accessing S3) or by users for temporary elevated access.
- IAM Policies: JSON documents that define permissions. Specify what actions are allowed or denied on which resources. These are attached to users, groups, or roles.
- Principle of Least Privilege: A core security practice that dictates granting only the minimum permissions necessary.
š” Tip: Think of Users, Groups, and Roles as the "Who" (the identity). Think of Policies as the "What" (the permissions).
Scenario: A company needs to grant different levels of access to its AWS account. Developers need to manage EC2 instances, while auditors need only read-only access to S3 buckets. They also need to grant an EC2 instance permission to access DynamoDB.
Reflection Question: How does AWS IAM, by providing users, groups, roles, and policies, fundamentally enable granular control over who can access AWS resources and what actions they can perform?