IAM Introduction

AWS IAM Module

  • IAM stands for identity and access management.
  • It is a global service because in IAM, we are going to create our users and assign them to group.
  • We have already used IAM without knowing, it is when we created an AWS account, we had created a root account. So root account is created by default
  • Root Account should only be used for setting up the account. You should not use the root account anymore or even share it.
  • You should instead create Users from the Root Account
  • So you will create Users in IAM. In this, one user will represent one person within your organization.
  • The users can be grouped together as shown in the image above.
  • Let’s take an example to explain the diagram above on grouping users.

Example: You have Alice, Bob, Charles, David, Edward and Fred. All these people are in your organization. Now Alice, Bob, and Charles, they work together.They’re all developers. So we will create a group called Developers (Blue Color) with Alice, Bob, and Charles. David and Edward are working together in Operations. So we will create another group called Operations (Orange Color). Now we have 2 groups in IAM.

Now some rules to know before we proceed further:

  • Groups can only contain Users, and not other groups
  • Some users don’t have to belong to a group. For Example: Fred (as shown in the diagram) is alone. He does not correspond to any group. (Actually this is not best practice and recommended to not have user belong to some group)
  • A user can belong to multiple groups. For Example: if you know Charles and David worked together. And they are part of Audit Team (Green Color). So you can create a 3rd group with Charles and David.
    • As you can see now, Charles and David are part of 2 different groups. Charles belongs to both groups Developers and Audit Team. David belongs to both groups Operations and Audit Team

Why do we create users and Why do we create Groups?

  • The reason to create users and groups is that we want to allow them to use our AWS accounts and to allow them to do so, we have to give them permissions.
  • The permissions assigned to the Users or Groups are in the form of JSON documents.
  • JSON documents are nothing but IAM Policies (as shown below as an example):

  • These policies are written in plain english (not as program code).
  • What these policies define is what a user is allowed to do OR what a group and all the users within that group are allowed to do.
  • These policies define the permissions of our users.
    • So in AWS, you don’t allow everyone to do everything. It would be catastrophic,
    • The reason is that a new user could basically launch so many services and they will cost you a lot of money.
  • So in AWS, you apply a principle called the least privilege principle. (Meaning you don’t give more permissions than a user needs)
    • If a user needs access to 3 services, you just create a permission for that user.

For Example:
As shown in the example above, we can see:

  1. We have allowed the users to use EC2 service and they have access to do describe it (meaning it has read-only access which is useful for Least Privilege Principle)
  2. Same applies for Elastic Load Balancing Service
  3. Same applies for Cloudwatch

Note : We will study in detail about services in the upcoming section in detail that what does ListMetrics or ListUsers mean. You just need to remember that AWS Services Access is provided to Users or Groups using IAM policies in JSON documents

Now we will see hands on AWS for creating Users & Groups

AWS Shared Responsibility Model IAM Hands On