IAM Service in AWS

IAM

What is IAM

IAM stands for Identity, Access Management which is a Global service(don’t need to select a region from console - Not a region specific service) in Amazon Web Services.

1. Root Account created by default, shouldn’t be used or shared.
2. Users in AWS are people within our organization and can be grouped based on requirements.
3. Groups should only contain user but not groups.
4. Users may not be belong to any of the group(but not recommended), and user can belong to multiple groups.

IAM is a service that is used to manage all these activities through console.

IAM: Permissions

• Users or groups can be assigned JSON documents called Policies
• These policies define the permissions of the users
• In AWS you apply the Least Privilege Principle: which is don’t give user more permissions than a user needs.
• Users directly inherited all the permission access that a group has.

IAM: Policies

• All the users in a group will inherit all the permissions of the same group.
• We can also have an Inline Policy where we can define permissions for the users who doesn’t belong to any group.
• If a user belong to multiple groups then they can gain both groups permissions.
• We can also create our own policies with a particular set of access and resources.

IAM: Policy Structure

Consists of

![./IAM_Policy_Structure.png]

1. Version: Policy language version, always include “2012-10-17”.
2. ID: An identifier for the policy (Optional).
3. Statement: One or more individual statements (required) consists of
   • Sid: an Identifier for the statement (Optional).
   • Effect: whether the statement allows or denies access of certain API’s (Allow, Deny).
   • Principal: account/user/role to which this policy applied to.
   • Action: List of actions this policy allows or denies.
   • Resource: List of resources to which the actions are applied to.
   • Condition: Conditions for when this policy is in effect (Optional).