To understand the concept of Identity and Access Management (IAM), let’s take an example. Suppose a person has a start-up with 3-4 members and hosted the Application over Amazon. Since it’s a small organization everybody would have access to Amazon where they can configure and perform other activities with their Amazon Account. Once the team size grows with a set of people in each department, he would not prefer to give full access to Amazon Web services, as they are all employees and the data needs to be protected. In this case, it would be advisable to create a few Amazon web service accounts called the IAM users. They are Amazon users who can perform the same activity as anyone. The advantage here is that we can control in what domain they can work, as we provide access only for S3 or Finance (Billing portal) and so on.
Now, if the company grows further, the challenge would be in giving access. For example, if we give 10 users for S3, 15 users for Finance, 20 users for EC2 and Cloud Watch, one user managing EC2 and Cloud Watch will go to storage group and one person from finance will shift to HR. In that case we have to manage the access for each user individually. The better option is called Amazon IAM Group Concept, which is a collection of user where we can define a policy at group level. Once the policy is defined it will be applied on all the users at the group level.
The policy of each group is defined and applied to the respective group. We can move one user from a group to the other. This gives an advantage of keeping the policy the same. For example, if the organization is expanding and development can access to only certain instances, we need to change the permission and implement it as a part of policy.
Suppose the team grows to 4,000 people with various tasks and departments. It becomes difficult to manage the users. The best solution would be that Amazon supports the single sign in with the directory services. Amazon provides service supported by SAML based authentication. Whenever access is required, it would not ask for any credential when somebody from the organisation logs in to the organisation machine. It would then to the Amazon Portal and it would show services that the particular user is allowed to use. The biggest advantage is that there is no need to create multiple users but implement a simple sign in with the directory service. So when the user logs in to the corporate directory, he or she would be assigned certain privileges which allows the user to access Amazon. All theses are possible only through Amazon IAM.
Suppose we create a mobile application like Instagram. Google application takes data from the users. So, whenever we upload a picture it will be stored in Amazon S3 bucket. Now, whenever we want to upload anything in S3 bucket, we must provide our access credential. Here, Google application needs to store the access credentials which is insecure. The solution here is that AMI is used, which provides web authorization where it supports the authentication provided from Google, Amazon and Facebook. Amazon would authorize based on these log ins. Then it would assign temporary credentials to upload items in S3. It’s important to know that it is applicable only for Amazon Resources.
The AWS IAM enables the user to securely control access to AWS services and resources for the users. IAM enables user to create and manage users in AWS, and it also enables the user to grant access to AWS resources for users managed outside the AWS in the corporate directory. IAM enables identity federation between the user’s corporate directory and AWS services. This enables the user to use existing corporate identities to grant secure and direct access to AWS resources, such as S3 buckets, without creating a new AWS identity for those users.
The biggest advantage of IAM is that it is free. But if users launch EC2 it will be charged.
AWS IAM Functionality
The biggest advantage of IAM is that you can get fine grained control to AWS resources. It also works with mobile and browser-based application. It also helps identify federation between Enterprise and AWS services.
IAM User Management
IAM provides features for managing access to AWS service APIs and resources for the user’s AWS account to have access to. APIs are present at stages where we run, start or stop. We can define the access based on APIs for better control of resources.
Manage IAM Users – We can create different IAM users and put those users in the IAM group
Manage Permissions – If required we can give them permissions and access is provided based on the APIs. The user would have similar kind of access as root account. The account which we use to register with Amazon will be the root account since this account can do any activity at the IAM level. This root account can create multiple IAM accounts and define the permission for that. Whenever the user is performing different activities it will also provide various ways to access Amazon service. For example, if the user needs to launch an instance or create a bucket, the user may need to go to console or command line tools. Here, we go to Security Credentials from the Amazon accounts and view the access keys. The second is the ‘X509 Certificates’ which is also a part of it.
When we create an IAM user, he may access Amazon Resources by either using console, CLI or SDK. Amazon provides those options as well. There would also be a root account having multiple users per group. A single IAM user can be a part of the multiple groups if required. When we talk about user, he can get log in, password and access key as well. We can also define the policy.
Got a question for us? Mention them in the comments section and we will get back to you.