Configuring IAM

 In this chapter, we will be covering the core security service of AWS—AWS IAM. Identity and Access Management, referred to as IAM, is a central part, which surrounds all AWS services. For an enterprise, big or small, data security is the most important aspect that needs to be tightened. In this chapter, we will demonstrate how we can create and administer IAM users, groups, roles, and policies using AWS Management Console, AWS CLI, AWS SDK – Java, and CloudFormation.

In this chapter, we will cover the following topics:

• Policies
• Roles
• Groups
• Users

Identity and Access Management (IAM) is the most important service of the AWS cloud. It is used to provide access to other AWS resources. Each AWS resource has access restrictions and permissions that are being governed by IAM. It allows us to provide granular-level permissions to users or AWS resources to access other AWS resources. At base, we have Policies, which allow and deny actions on the AWS resources. Next is Roles, which can have multiple policies attached, and this can be associated with AWS resources so that they can assume a role and get access to the AWS resources. IAM also allows us to create groups, which is a logical entity to club multiple policies and this can be associated with IAM users. So, when we create an IAM user, and associate it with a group, it means the user can get access to all the AWS resources mentioned in the group's policies. It becomes easier to provide and manage access based on groups. If a user moves from one business group to another in the same organization, the administrator will only change the group assignment for a particular user.

AWS IAM also provides access to the federated users, which reside outside IAM. Federated users can assume roles and get access to the AWS resources. Federated users are given short-lived access rights to AWS resources and are more secure in nature.