Skip to content
LearnSome Cloud

AWS IAM basics

What is AWS IAM?

AWS Identity and Access Management (IAM) is a flexible service that helps securely control access to AWS resources.

Key benefits

  • Fine-grained permissions: Control who can do what at granular level.
  • Centralized management: Manage access from a single source.
  • Identity federation: Integrate external identities (e.g., from Google Workspace or Azure AD).
  • Free to use: IAM is Included with AWS with no charge.

Key Concepts

  • IAM Users: Represent a single person or service with access credentials (username/password, access keys).
  • IAM Groups: Logical groupings of users to simplify permissions management for eg Developers group, DevOps group.
  • IAM Roles: Temporary credentials assigned to services or users for specific tasks, it is used to assume a temporary access to complete a given task.
  • Policies: JSON documents defining permissions (allow/deny actions on resources).
  • AWS Access Keys: We use Access keys for programmatic access to AWS resources.

We need also to know these 2 components:

  • Root User: The account owner with unrestricted access (should be secured and rarely used).
  • MFA (Multi-Factor Authentication): Adds extra security by requiring additional verification.

IAM Hands-on

To complete this hand-on you need to ensure the AWS CLI is installed and configured.

Create a User

First let’s create a new IAM user to give him access AWS resources.

Terminal window
aws iam create-user --user-name Samy

Attach a Policy to a User

when creating a new User will have no permissions to access resources, we grant permissions to the user by attaching a predefined policy. In our example, we grant read-only access to S3.

Terminal window
aws iam attach-user-policy --user-name Samy \
    --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Note that each resource in AWS can be presented with a unique ARN (Amazon Resource Name). For the given policy of S3 read access only permission, it is arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess.

Create a Group

Handling permissions for multiple users can be hard to track which user has which permission. The recommended way is to use user groups. We attach permissions to a group and then add users to that group. Now revoking permission is as easy as removing the user from that group.

Let’s create a group to manage permissions for developers.

Terminal window
aws iam create-group --group-name DeveloperGroup

Add User to Group

To add an existing user to a group, allowing the user to inherit the group’s permissions. In our example, let’s add Samy to the DeveloperGroup group.

Terminal window
aws iam add-user-to-group --user-name Samy --group-name DeveloperGroup

Delete a user

To remove a user simply run:

Terminal window
aws iam delete-user --user-name Samy

Working with roles

IAM Roles are used to grant temporary access permissions to entities (AWS services, users, or external identities) without requiring access keys or long-term credentials. Roles are really important and powerful concept in AWS IAM.

Characteristics of IAM Roles

  1. No Permanent Credentials: Roles do not have passwords or access keys; instead, they use temporary security credentials.
  2. Assumable by Trusted Entities: Roles can be assumed by:
    • AWS services like EC2, Lambda, or ECS.
    • IAM users or applications from another AWS account.
    • External users via identity federation.
  3. Trust Policy: A JSON document defines who (trusted entity) can assume the role.
  4. Permissions Policy: Specifies the permissions granted to the role when assumed.

How Roles Work?

  1. Define a Trust Relationship:

    • Specify who or what can assume the role using a trust policy.
    • Example: Allow EC2 instances to assume a role.
    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Principal": { "Service": "ec2.amazonaws.com" },
        "Action": "sts:AssumeRole"
      }
    }

  2. Attach Permissions:

    • Define what actions the role can perform using a permissions policy.
    • Example: Grant S3 full access.
    {
      "Version": "2012-10-17",
      "Statement": {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
      }
    }

  3. Assume the Role:

    • An entity assumes the role to get temporary credentials.
    • Example: An EC2 instance assumes a role to access S3.

  4. Temporary Credentials:

    • Once assumed, AWS Security Token Service (STS) generates temporary credentials valid for a short time (default: 1 hour).

Common Use Cases for roles

  • AWS Service Roles: Allow EC2 or Lambda to access other AWS resources securely.
  • Cross-Account Access: Share resources securely across AWS accounts.
  • Federated Access: Provide temporary access to external users (e.g., Google Workspace users).

Conclusion

In this tutorial, we covered the essential concepts and operations of AWS Identity and Access Management (IAM) to help you get started with managing access to your AWS resources.