Amazon IAM

• IAM (Identity and access management) allows you to manage users and their level of access to aws console. It provides multifactor authentication. Provides temporary access for users, services where necessary.

• It allows you to setup and maintain password rotation policy. Using IAM, organizations can create and manage AWS users and groups and use permissions to allow and deny their access to AWS resources.

Root User

(Note: When you first create an AWS account, you begin with only a single sign-in principal that has complete access to all AWS Cloud services and resources in the account. This principal is called the root user)

• The root user is similar in concept to the UNIX root or Windows Administrator account—it has full privileges to do anything in the account, including closing the account. The root user can be used for both console and programmatic access to AWS resources.

IAM Users

• IAM users is similar to normal users in Linux, this user can interact with the console and use the CLI.

Creating IAM USERS

1. Goto IAM -> users -> create users -> (name of the user) -> access type (AWS Management Console access) -> set password.

(Note: if u want to login then get the url from dashboard paste it and give the username and password)

(It is possible to customize the url in dashboard) (SHOW: Delete User, Change user passwd , New Access key)

• 1.ARN (Amazon resource name is a unique name used for the identification of user or group, It is the combination of aws account id and user or group name)

• Max 5000 users in an aws account.

GROUPS

• A group is the collection of users having similar responsibility.

• You can use propagate permissions to users. Max 100 groups in an aws account.

• An IAM user can be member of 10 groups.

Creating group

Goto group -> create user -> done

ROLE

• An IAM role is similar to a user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

• instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

3 types of roles

1. . Amazon service Roles—Granting permissions to applications running on an Amazon EC2 instance.

2. Cross-Account Access—Granting permissions to users from other AWS accounts, whether you control those accounts or not.

3. Identity provider access - Granting permissions to users authenticated by a trusted external system. Each role can have up to 10 policies attached. Max 500 roles in an aws account

Policy

A policy is a document that fully defines a set of permissions to access and manipulate AWS resources. Policy documents contain one or more permissions, with each permission defining

1. Effect—A single word: Allow or Deny

2. Service—For what service does this permission apply? Most AWS Cloud services support granting access through IAM, including IAM itself.

3. Resource—The resource value specifies the specific AWS infrastructure for which this permission applies. This is specified as an Amazon Resource Name (ARN).

Identity Provider

1. Identity providers are used to define trusted identity resources.

2. With an identity provider (IdP), you can manage your user identities outside of AWS and give these external user identities permissions to use AWS resources in your account. This is useful if your organization already has its own identity system, such as a corporate user directory. It is also useful if you are creating a mobile app or web application that requires access to AWS resources.