AWS Identity and Access Management (IAM) allows you to securely control access to AWS resources. IAM controls who can be authenticated and authorized to use resources by managing users, groups, roles, and their permissions. IAM supports single-factor, multi-factor, and two-factor authentication to verify identities. Authorization occurs after authentication and provides permissions to access resources. IAM helps create and manage users, groups, roles, and their permissions to govern access to AWS services.

1. AWS IAM
Identity and Access Management

2. What is IAM
● AWS Identity and Access Management (IAM)
● This is a web service that helps you securely control access to AWS resources.
● You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use
resources.

3. Authentication
Authentication is about validating your credentials like User Name/User ID and password to
verify your identity.
Single-Factor Authentication -relies on a simple password to grant user access to a particular
system such as a website or a network.
Two-Factor Authentication –it’s a two-step verification process which not only requires a
username and password, but also something only the user knows, to ensure an additional
level of security, such as an ATM pin, which only the user knows.
Multi-Factor Authentication – It’s the most advanced method of authentication which
uses two or more levels of security from independent categories of authentication to grant
user access to the system.

4. Authorization
Authorization, on the other hand, occurs after your identity is successfully authenticated by
the system, which ultimately gives you full permission to access the resources such as
information, files, databases, funds, locations, almost anything

5. What is IAM?
Create and Manage
● Users
● Groups
● Roles
● Permissions
AWS users not bound to one region

6. Users
● A user is a unique identity recognized by AWS services and applications.
● Similar to a login user in an operating system like Windows or UNIX, a user has a unique name
and can identify itself using familiar security credentials such as a password or access key.
● A user can be an individual, system, or application requiring access to AWS services. IAM
supports users (referred to as "IAM users") managed in AWS's identity management system,
and it also enables you to grant access to AWS resources for users managed outside of AWS in
your corporate directory (referred to as "federated users").
● A user can place requests to web services such as Amazon S3 and Amazon EC2. A user's
ability to access web service APIs is under the control and responsibility of the AWS account
under which it is defined.

7. Groups
A group is a collection of IAM users. Manage group membership as a simple list:
● Add users to or remove them from a group.
● A user can belong to multiple groups.
● Groups cannot belong to other groups.
● Groups can be granted permissions using access control policies. This makes it easier to manage
permissions for a collection of users, rather than having to manage permissions for each individual
user.
● Groups do not have security credentials, and cannot access web services directly; they exist solely
to make it easier to manage user permissions.

8. Roles
● Roles are used to grant specific permission to specific actors for a set of duration of time. These
actors can be authenticated by AWS or some trusted external system.
AWS supports 3 Role Types for different scenarios
● AWS service roles (for example: EC2, Lambda, Redshift,...)
● Cross-Account Access: granting permissions to users from other AWS account, whether you
control those account or not.
● Identity Provider Access: granting permissions to users authenticated by a trusted external
system. AWS supports two kinds of identity federation: - Web-based identity such as Facebook,
Goolge- IAM support ingeration via OpenID Connect - SAML 2.0 identity such as Active
Directory, LDAP.

9. IAM Console

10. Role

11. User Vs Roles
User and roles use policies for authorization. Keep in mind that user and role can't do anything until you allow certain actions with
a policy.
User Role
Can have a password? Yes No
Can have an access key? Yes No
Can belong to a group? Yes No
Can be associated with AWS resources (for example EC2 instances) No Yes

12. Permissions
Access control policies are attached to users, groups, and roles to assign permissions to AWS resources.
By default, IAM users, groups, and roles have no permissions; users with sufficient permissions must use
a policy to grant the desired permissions

13. Permissions

14. Best Practices
● Users – Create individual users.
● Groups – Manage permissions with groups.
● Permissions – Grant least privilege.
● Auditing – Turn on AWS CloudTrail.
● Password – Configure a strong password policy.
● MFA – Enable MFA for privileged users.
● Roles – Use IAM roles for Amazon EC2 instances.
● Sharing – Use IAM roles to share access.
● Rotate – Rotate security credentials regularly.
● Conditions – Restrict privileged access further with conditions.
● Root – Reduce or remove use of root.

15. Pricing & Auditing
● IAM is a feature of your AWS account offered at no additional charge. You will be charged only for
the use of other AWS services by your users.
● You can log IAM actions, STS actions, and AWS Management Console sign-ins by activating AWS
CloudTrail.

16. limitations