What is IAM in AWS?

AWS Cloud is known to provide a safe virtual environment to its users. AWS Cloud’s
services are rendered at minimal prices. AWS IAM is one of the most popular security
services provided by AWS. AWS Identity and Access Management (IAM) lets users
securely access AWS and at the same time, lets them create users and groups to
control who accesses their resources.

IAM allows users to authenticate users or grant them access permissions. Users can
also limit or withdraw access from users or groups.

Need of AWS IAM

In usual corporate scenarios, granting access and taking permissions is a long process.
It is usually the IT admins who have all the passwords and in order to make any
changes, you have to ask them. In most cases, all the passwords are also the same.
The role AWS IAM is to change this and adds layers of security. It also provides a
secure platform to share resources. AWS IAM users are authenticated and granted
permissions as and when required, and you can control who has access to your
resources and to what extent.

How Does AWS IAM Work?

The IAM workflow contains the following elements:

● Principal: Something that performs actions on an AWS resource is called principal.

This could be a user, an application, or a role.
● Authentication: Every principal that is trying to get access, needs to be
authenticated. A principal has to provide credentials or keys to confirm their identity.
● Request: A principal is required to send AWS a request, providing details of the
resource they plan to use and the action that has to be performed.
● Authorization: IAM only allows a request if it is allowed by a policy. After the
request has gone through the process of authentication and authorization, it is
approved.
● Action: An action determines if a resource has to be viewed, edited, created, or
deleted.
● Resources: Actions are performed on the resources stored in your AWS account.

Components of AWS IAM

The following are some basic components of IAM in AWS:

● Users
● Groups
● Policies
● Roles

Let us discuss the components of IAM in AWS in detail.

Users
IAM users in AWS are identified with credentials and permissions that are attached to
them. A person or an application can be a user. You can create an IAM user name for
each employee in your company. You can grant them access and permissions
accordingly. Each user can access only one account. All new users have no
authorization to do any action in AWS, by default. You can assign permissions to each
of the users individually according to the requirements.

Groups
IAM groups consist of a bunch of IAM users. You can use IAM groups to put users, who
require similar permissions, under the same group. This way you can grant permission
to one group and it will automatically apply to each user within that group. If you add
another user to the group, the same permissions and policies will apply to that user as
well. This lessens the workload on administrators.

Policies
IAM policies in AWS provide permissions and manage access to all AWS resources.
IAM policies are stored as JSON documents in AWS. This document contains
information on who can access the resource, what actions they can perform, which
AWS resources can be accessed by the user, and when they can be accessed. There
are two types of policies:
● Managed Policy: A managed policy is the default policy in AWS. You can attach
this policy to various entities in your AWS account. These can be managed by AWS
or the customers.
● Inline Policy: An inline policy is created by the customer(s) and embedded into one
single entity.

Roles
IAM roles define which actions can be denied or allowed by any entity in AWS. This is
done as a set of permissions. It can be accessed by any entity in AWS. Temporary
credentials are given out as role permissions. AWS IAM role needs to be handled by
code in AWS STS.

AWS IAM Features

Let us now go through the following list of the main features of IAM:

● Granular Permissions: There are restrictions that can be applied to requests using
policies. For example, you can allow a user to view a piece of information but
withhold edit access.
● Shared Access: You can create different user names and passwords for different
users. This helps you delegate access to resources.
● Identity Federation: Users can be authenticated by using other accounts such as
Facebook or Google. IAM can trust that authentication and allows access to users
based on those accounts. Users can also use this to maintain the same password
on site and on cloud.
● Multifactor authentication (MFA): MFA is allowed on IAM. Users can provide their
credentials and a one-time password from their phones for authentication.
● Free Security: IAM security is completely free to use. Users do not get charged for
adding any users, groups, or policies.
● PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) sets a
standard for security for credit card handling organizations. IAM also complies with
it.
● Password Policy: IAM has a password policy that lets you reset or rotate a
password. You can make rules on how a user should pick their password or how
many tries they get to enter a correct password.
How to Create an IAM User on AWS?
In the field of AWS Identity and Access Management (IAM), an IAM user stands as a
unique identity created within your AWS account. This identity serves as a
representation of either a human user or an application that interacts with AWS
resources.

You can create an IAM user in the AWS Management Console by using the following
steps:

● You can sign in to the AWS Management Console and then open the IAM console.
● Click on Users in the navigation pane, and then click on Add Users.
● Type in the chosen username for the new user.
● If you want to add more users, you can click on Add another user for each user
you want to add. AWS lets you create 10 users at a time.
● Now you have to select the type of access these users will have. You have three
options, programmatic access, AWS Management Console Access, or both.
o You can select Programmatic access if the user needs access to API,
CLI, or PowerShell. Each new user will get an access key. These can be
viewed on the last page.
o You can select AWS Management Console Access if the user needs
access to the AWS Management Console. Each new user will have a
new password.
● After you are done selecting access, click on Next: Permissions.
● The Set Permissions page will open. Here, you can select how you want to grant
permission to the user(s).
o Select Add user to the group if you want to assign the same set of
permissions to the user(s) as an existing group. You can also create a
new group for the user(s) by clicking on Create group.
o Select Copy permissions from the existing user if you want to copy
all permissions from an existing user to the new user(s).
 o Select Attach existing policies directly if you want to choose from an
already set list of policies in your account. You can also select Create
policy to create a new policy to go with the user.
● Click on Next: Tags.
● You can attach tags to the user(s) if you want.
● Click on Next: Review. If you are fine with all the information that you have
entered, select Create user.
● Here, you can click Show next to each password and access key to view the
access keys assigned to each user. You can also click Download .csv to download
the access keys.
● You can also send emails to all the new users with their credentials.