What is Identity and Access Management (IAM)?

tudip-logo

Tudip

12 June 2020

What is Identity and Access Management (IAM)? 

Let’s start with the definition of IAM.

Simplified Definition: It is an AWS service where you manage who has access to your AWS account and what AWS resources they can use.

Official Definition: Enables you to securely control access to AWS services and resources for your users. Using IAM you can create and manage AWS users and groups and use permission to allow and deny their access to AWS resources.

When you go to the IAM, you can find the IAM page under service which is on the left side of the page.

As you can see below security status there are 5 main components which are very important for accessing purpose to any AWS service or resources.

  1. Activate MFA on your root account 
  2. Create individual IAM users 
  3. Use groups to assign permissions 
  4. Apply IAM password policy 
  5. Rotate your access key 

Let’s get started one by one.

  1. Activate MFA on your root account:

    Ok, so what is a root account ? When you sign up with your AWS that time you have your AWS username and password for accessing the account. The first initial account is called a root account.

    The IAM security helps us to secure our AWS account with more authentication. Let’s come to point on Activate MFA. MFA stands for Multi Factor Authentication, it provides an extra level of security for your root account and can also prevent 3rd party users from accessing your AWS account.

    MFA provides you a continually changing six digit code that you will need to input while logging to your AWS root account, without this code you will not log to your aws account.

    When you click the manage MFA you will get two options to get the MFA code. 

    1. Virtual MFA Device: Smartphone or Tablet.
      Google Authenticator app available on android and ios.
    2. Hardware Key Fob: It is a small device with display where you can get the code you can purchase from AWS site.

    Let’s talk about the Virtual MFA Device because it is most common for code using google authenticator app. After selection for Virtual MFA Device you will see barcode like this below:

    You will have to scan the barcode using the google authenticator app, after the scanning your virtual device will give you 2 sets of six digit code which you need to put in box of Authentication code 1 and Authentication code 2 respectively. After all the process you will get a finished message. Then you will need to refresh the current page to get a green check on Activate MFA. Now we have done an MFA. Let’s move to further points.

  2. Create Individual IAM user : 

    Here you can make your user account by which you can log without MFA code. We mostly use user accounts, because it is not good practice to use your root account for your day to day work.

    You just have to create a user and attach policy for Full Administration Access. You can also create and manage users and attach policy or permission which the user needs.

    Here I made four individual users and attached them with different policies.

  3. Use Group to assign permission

    In this resource you can create or manage a group and allow or deny permissions which they want to use. If you have a project which needs a group to work on then simply you have to create the user and then you need to add a user to that group which you have created. You will have full control over the group, you can attach the permission which will apply to all the members of the group. This can simplify your work.

    Here I made a group PROJECT where I have added users and attached policy to the group.

  4. Apply an IAM password policy : 

    Here you can set your password policy or set of rules to make a secure strong password.

  5. Rotate your access key : 

    In this resource you can create or change your existing access key whenever you want, by following the rule which you have set in password policy. If you have set a policy like “password expires in 90 days”, by using this resource you can change your password. Any time you can make or INACTIVE your password.

NOTE: If you have any confusion about any of AWS services or resources you can go to the AWS documentation under support tab in AWS console. Where you can find all the aws documents which help your aws journey.

For more details you can refer this link below: https://docs.aws.amazon.com/index.html

Request a quote