These notes were written while preparing for my AWS solution architect exam and are collected from different sources and AWS documentation. Primarily, they’re notes for me, but you might find them useful too.
Since the AWS is changing quickly, it’s possible that some of these notes may be out of date, so please take that into consideration if you are reading them.
Please let me know in the comments if you have any updates which you’d like me to add.
IAM (Identity and Access Management)
- IAM is a service which helps you securely control access to AWS resources.
- You use IAM to control who is signed in (authenticated) and has access to what resources for what operations (authorization)
- IAM allows you to share your AWS account and grant access to multiple users without having to share your password and access key.
- IAM securely provide credential for applications running on AWS infrastructure to access other AWS resources, such as S3, DynamoDB, EC2 instances and etc.
- IAM allows you to enable MFA (multi-factor authentication) for your users in your account for the extra security.
- Identity federation in IAM allows users who already have password elsewhere like a corporate network or with an internet provider like Gmail or Facebook to temporary access to your AWS account.
- IAM logs are visible in AWS CloudTrail to log information about those who made a request for resources in your AWS account.
- IAM is PCI DSS compliant. (Payment Card Industry Data Security Standard)
- IAM is eventually consistent. IAM achieves high availability by replicating data across multiple servers within AWS infrastructure in multiple regions. If a request to change a data is successful, the change is committed and safely stored. However, the change must be replicated across IAM which can take some times. AWS recommends that you do not include changes such as creating or updating users, groups and roles or policies within your code in a critical HA application, instead, make IAM changes in a separate initialization or setup routine that you run less frequently and wait for replication until you start any production workflows depend on them.
Key Terms in IAM:
- Resource: The user, role, group and policy objects that are stored in an IAM. For example an EC2 instance or an IAM user.
- Identity: The IAM resource objects that are used to identify and groups such as users, groups, and roles.
- Entity: The IAM resource object that AWS uses for authentication.
- Principal: A person or application that uses an entity to sign in and make a request to AWS.
- Policy: A JSON document stored in AWS to specify the permission for principal entities.
- User: IAM users are identities in the service. By default, a new user does not have any permission. You have to create a policy and attach that policy to the user to grant permission for her.
- Group: You can organize users to IAM groups and attach a policy for that group.
- Role: Federated users don’t have permanent identities in AWS account. To assign permission to federated users in AWS, you have to create an entity referred to as a role and grant permission to the role.
- Identity-based Policy: Permissions policies that you attach to an IAM identity, such as an IAM user, group, or role. Identity-based Policies control what action, on which resource, and under what conditions the identity can perform.
- AWS managed policies: Pre created by AWS
- Customer-managed policies: User will create them
- Inline policies: Customer create and are embedded directly into a single user, group, or role (not recommended by AWS)
- Resource-based Policy: Permissions policies that you attach to a resource such as S3 bucket or EC2 instance. Resource-based policies control what actions a specified principal can perform on that resource under what conditions. You can enable cross-account access by specifying an entire AWS account or IAM entities in another account as the principal.