IAM stands for the Identity Access Management and IAM allows you to manage users and their level of access to the AWS console.
Features of AWS :
- Centralized control of AWS account.
- Integrates with existing active directory account allowing single sign on.
- Fine grained access control to AWS resources.
- Access is available on User/Group/Roles.
- Multifactor authentication.
- Provide temporary access for user/devices and services where necessary.
- Allows you to setup your own password rotation policy.
High Level Concept :
- User – End users (Think people)
- Group – Collection of users under one set of permission.
- Roles – Similar to group, but you can assign to both users and AWS resources (like EC2). EC2 instances can have credentials stored on them, however it is a security risk and difficult to manage. Roles solve the issue.
Roles and their Policy Templates :
- Administrator Access.
- Full Access to AWS services and resources.
- Power user Access.
- Full Access except management of users and groups.
- Read Only Access.
- Read only access to resources.
- More Granular access depending on the resource required (Such as S3 access etc).
Configure IAM for your account :
Step 1 : Login to AWS account and page looks like below.
Step 2 : Click on IAM under security and identity compliance and then the window looks like below. This is the IAM Dashboard.
In the above screen shot we can see the IAM user sign in link which is little bit difficult to remember so we are going to customize it.
Step 3 : Now we are going to Activate multi factor account on the root account to create it more secure.
Step 4: Now we are going to create new IAM user which is used to sign in to AWS console
We can create group here also but we are going to create it from the dashboard so simply just click on the Next: Review.
Now click on Create User.
Here we can see that our user is now created , now we have to download the credentials file because it will be very useful and we will not get it further if we skip this page.
Now go to the dash board to apply the other IAM related services to the User.
Step 5: Now we will create a group to assign the permissions.
Click on Manage Groups to create a new group.
After clicking on the Create New group , it will prompt to enter the group name , so I am giving it Developer, you can set whatever you want to set and click Next.
After click next it will ask for the policy which is needed to provide to the user which we had created recently. In my scenario I am selecting power user access.
Now finally we will get the review page of whichever configuration we have done in previous pages.
Now In the groups page we can see that the group name which we have created.
Step 6 : Now select the user in the group which we had created.
Now click on Add users to Group.
Select the user name which we had created and associate with this Developer Group.
Step 7 : Go to the Dashboard
Step 8 : We will set the IAM password policy
Roles : Roles effectively is a like a Group, but in this we can add AWS resources ,as we can say I will allow my EC2 instance to be able to access S3 , suppose we need to store a user credentials on EC2 to give then the access.
Step 9 : To create a new role click on the Create New roles
Now here we will select Amazon EC2 and click Next Step.
Roles is now created.
- IAM is effectively the management console for managing access to AWS resources for an organisation.
- IAM consist of users , groups and roles.
- A user is an individual , Groups are collection of users with one set of permissions , roles can be applied to both users and AWS services (Such as Lambda, EC2, etc).
- Enable multi factor functions.
- Create single sign on link for users within your organisation.
- Set password policy.