Hello and welcome back to our ongoing #100DaysOfAWS series! While this blog may be a revisiting of an older post, it lays a crucial foundation that is essential for the journey ahead. Today, we're going to delve into the world of AWS Identity and Access Management (IAM) components. Understanding IAM is like holding the keys to the kingdom, as it empowers you to control and secure access to AWS resources. Before we venture deeper into the AWS universe, let's ensure we've unlocked the potential of IAM to harness the true power of Amazon Web Services.

In the last post, we discussed What IAM is and what are it's different features. In this post, we will discuss about other identities like Users, Groups, Roles and Permissions.

1. Users

An IAM user is a person that needs to interact with your AWS resources or services either from the AWS Console or with the AWS CLI. Each IAM user is associated with only one AWS account. By default when you create a new user, no credentials are assigned, and the user does not have any permission to access your AWS resources.

2. Groups

An IAM group is a collection of users and permissions assigned to those users. Groups provide a convenient way to manage permissions for users with similar needs by categorizing them according to their job function/role, department, or any other requirement. Then, permissions for all those users can be managed at once through the group. Any newly added user to a group will automatically inherit all the policies and the permissions already assigned to that group. This lessens the administrative burden.

3. Roles

An IAM role is a set of permissions that define what actions are allowed and denied by an entity in the AWS console. A role is not directly linked to a person or a service, rather it can be assumed by any resource that the role grants permission to. Role credentials are always temporary and rotated periodically by the AWS Session Token Service (STS). For this reason, it is recommended to use roles over directly granting user or group permissions. Roles also allows you to grant multi-account access to your AWS resources from users, services, and apps that aren’t part of your business.

4. Policy

A policy is a document with a set of rules, having one or more statements. Each policy grants a specific set of permissions and can be attached to any of the IAM identities - users, groups, and roles. Policies are always written in JSON or YAML format and each policy has a unique name.

Identity-based policies -

Identity-based policies are JSON permissions policy documents that control what actions an identity (users, groups of users, and roles) can perform, on which resources, and under what conditions. Identity-based policies can be further categorized:

• Managed policies

Standalone identity-based policies that you can attach to multiple users, groups, and roles in your

AWS account. There are two types of managed policies:

1. AWS managed policies

Managed policies that are created and managed by AWS. These policies has its own Amazon

Resource Name (ARN) that includes the policy name.

eg. arn:aws:iam::aws:policy/IAMReadOnlyAccess is an AWS managed policy.

2. Customer managed policies

Managed policies that you create and manage in your AWS account. Customer managed policies

provide more precise control over your policies than AWS managed policies.

• Inline policies

An inline policy is a policy that's embedded in an IAM identity (a user, group, or role). That is, the

policy is an inherent part of the identity. You can create a policy and embed it in an identity, either

when you create the identity or later. Inline policies maintain a strict one-to-one relationship

between a policy and an identity. They are deleted when you delete the identity.

Resource-based policies -

Resource-based policies are JSON policy documents that you attach to a resource such as an Amazon S3 bucket. These policies grant the specified principal permission to perform specific actions on that resource and defines under what conditions this applies. Resource-based policies are inline policies. There are no managed resource-based policies.

5. Permissions

Permissions enable you to perform actions on AWS resources. When a new user or group is created, it has no permissions and a policy must be attached to allow actions to be taken on AWS resources.

You can assign permissions to all AWS identities (users, groups, and roles).

With this, I'll wrap up this post here. In the next few posts we will do some hands-on on creating Users, policies, assigning permissions, etc.

I hope you will find this post informative.

Thank you for reading!

*** Explore | Share | Grow ***