IAM – AWS Identity and Access Management
- Using IAM we can provide and restrict access to AWS services and permission levels.
- IAM is at Global level. Same credentials or roles or policy is applied across regions.
- Generally the flow of IAM set up is like
- User -> Group -> Policy (it has what resource and permissions on those resources).
- Role – Grant Permission to entities we trust.
- Can be assigned to User / Service / Application .
- These roles can be attached to instances as well.
- Policies can be attached to these roles.
- Access Types – for accessing AWS resources,
- Programmatic using access key & secret access key.
- AWS Console.
- Prefer IAM over Access keys, when providing access to others(Users).
- Roles CANNOT be assigned to Users or Groups.
- Roles are specific to AWS Resources only.
- Cross account access – we don’t have to create individual access for different AWS accounts.
- STS is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users.
- Programmatic(SDK) access is authenticated with an access key.
- Integration with Active Directory involves integration between Active Directory and IAM via SAML.
- Federation maps policies to identities from other sources via temporary tokens.
- Create a new User, assign to a Group.
- Create a new Policy and attach to the above group.
- Log in using the user.(both programmatic & console).
- Creating Roles and assigning to AWS Service(Lambda) can be seen at Blog.