Ref: https://learn.cantrill.io/courses/1820301/lectures/41301464 [ASSOCIATESHARED]

• Summary
• Contents:

IAM Service

• 🔧 Identity and Access Management (IAM) is a core AWS service that manages identities
  • 3 main jobs
    1. Manages identities → IAM is an IDP (Identity Provider)
    2. Authenticates identities (proves an entity is who they claim to be)
    3. Authorizes identities based on policies (allow/deny access to resources)
  • No cost (free service)
  • Public and global service, global resilience
    • data is secure across all regions
• ‼️ IAM has full control permissions, but it only controls local identities in that account!
  • IAM has no direct control on external accounts or identities
  • Every AWS account has its own IAM instance, its own DB in IAM
    • this IAM instance is separate from the IAM instances of other accounts
    • an AWS account trusts fully its instance of IAM
• IAM can do almost anything in an account
  • Exceptions: billing control and account closure (can only be done by account root user)
• IAM also handles:
  • MFA
  • Identity Federation
    • existing identities (e.g. web identities like Facebook or Google, or identities from an active directory) can be indirectly used to access resources in an AWS account

Account Root User

• The account root user is the default identity in an AWS account
  • Associated to the account's email address
  • An AWS account fully trusts its root user → full, unrestricted access to the account
    • An AWS account and its root user can be loosely thought of as the same thing
  • ❗ The root user is not an IAM identity!
• Best practice: least privileged access
  • Only grant (other) identities the necessary permissions to perform a task
• Summary Diagram

IAM Identities and IAM Policies

• IAM can create additional identities in an account, called IAM identities:
  1. IAM users: humans/applications that need long-term access to account
     • 💡 One can identify the individual entity that will login as this user
     • ‼️ Use long-term credentials (username + password and/or access keys)!
  2. IAM groups: collection of related IAM users
     • e.g. development team, finance or HR
  3. IAM roles: can be used by AWS services or for granting external access to an account
     • 💡 Used when it's uncertain how many entities will use these permissions
     • ‼️ Use short-term credentials!!
• IAM policy = object or document which can be attached to an IAM identity. It allows or denies access to AWS services/resources to the IAM identity or identities it is attached to.
  • The account trusts the permissions of that identity the same way it trusts IAM
• IAM Identities and Policies Diagram