IAM Identities in AWS

In AWS Identity and Access Management (IAM), identities refer to the entities that you create and manage to control access to your AWS resources. These identities are used to authenticate and authorize actions within your AWS environment. There are three main types of IAM identities: Users, Groups, and Roles.

1. IAM Users

An IAM user is an identity that represents an individual person or service that interacts with AWS. Each user is assigned a unique username and credentials to log in to the AWS environment.

Key Points:

• Authentication Credentials:
  • An IAM user can have a password for logging in to the AWS Management Console.
  • It can also have access keys (Access Key ID and Secret Access Key) for programmatic access using the AWS CLI, SDKs, or APIs.
• Permissions:
  • An IAM user doesn’t have any permissions by default. Permissions are granted through policies attached to the user (or group to which the user belongs).
• User Types:
  • Human users: Individual employees or administrators.
  • Programmatic users: Services or applications that need access to AWS resources.

Example:

A developer in your organization can have an IAM user account with permissions to work on specific AWS services like EC2 and S3.

2. IAM Groups

An IAM group is a collection of IAM users. Permissions can be assigned to a group, which then apply to all users within the group. Groups simplify the management of permissions for multiple users by allowing you to attach policies to the group instead of to individual users.

Key Points:

• No Sign-In Capability: Groups themselves do not have login credentials.
• Permission Inheritance: All users within a group inherit the permissions defined by the group’s policies.
• Efficient Management: By using groups, you can efficiently manage permissions for large teams or departments.

Example:

You can create a “Developers” group with access to EC2 and S3 services. When new developers join the organization, simply adding them to the “Developers” group will grant them the same permissions.

3. IAM Roles

An IAM role is an identity similar to a user, but it is not associated with a specific person. Instead, roles are meant to be assumed temporarily by trusted entities such as IAM users, applications, or AWS services. Roles are useful for granting temporary access to AWS resources without using long-term credentials.

Key Points:

• No Credentials: Unlike users, roles do not have static credentials. Instead, temporary security credentials are granted when a role is assumed.
• Assumed by Entities: Roles can be assumed by:
  • IAM users or AWS services (e.g., EC2 instances or Lambda functions).
  • Federated users from external identity providers via SAML.
  • Cross-account access between different AWS accounts.
• Use Cases:
  • EC2 Role: Assigning a role to an EC2 instance so it can access an S3 bucket without requiring access keys.
  • Federation: Granting temporary AWS access to users from an external organization.

Example:

A Lambda function can assume an IAM role that grants it permission to access an S3 bucket, without requiring access keys embedded in the function’s code.

IAM Identity Use Cases

Best Practices for Managing IAM Identities:

1. Follow the Principle of Least Privilege: Only grant the minimum permissions required for a user, group, or role to perform their tasks.
2. Use Groups for Efficient Permission Management: Instead of assigning policies to individual users, assign them to groups.
3. Use IAM Roles for AWS Services: Always use roles for applications or services (e.g., EC2, Lambda) that need to access AWS resources, instead of embedding access keys in the code.
4. Rotate Credentials Regularly: For IAM users who have access keys, ensure regular rotation of credentials for security.
5. Enable MFA (Multi-Factor Authentication): Protect IAM user accounts with multi-factor authentication, especially for privileged users.