icon picker
AWS Identity and Access Management (IAM)


IAM Overview

IAM (AWS Identity and Access Management): Service to securely control individual and group access to AWS resources.
Primary Functions: Manage users, groups, roles, access policies, user credentials, password policies, multi-factor authentication (MFA), and API keys.

Key Features

Centralized Control: Provides centralized control of your AWS account.
Shared Access: Enables shared access to your AWS account.
Secure Access: New users have no access to services by default; permissions must be explicitly granted.
Granular Permissions: Allows assigning specific permissions to users.

Components of an IAM User


Security Credentials

Access Keys: For programmatic access (CLI, API).
Passwords: For console access.
MFA Devices: For enhanced security.

Authentication Methods

Console Login: Username, password, and MFA code.
AWS API: Use temporary security credentials with MFA.
AWS CLI: Obtain temporary security credentials from STS.

Multi-Factor Authentication (MFA)

Types of MFA Devices:
Virtual MFA devices.
Universal 2nd Factor (U2F) devices.
Hardware MFA devices.
Usage Best Practices: Enable MFA for all users, especially privileged users.
Authentication Codes: Six-digit, single-use codes generated by MFA devices.

Identity Federation

Federation Options: Integration with AD, Facebook, etc., for secure access without creating IAM users.

IAM Policies

Permissions: Must be explicitly granted for users to access services.
Temporary Security Credentials: AWS access key ID, secret access key, and security token.

Best Practices

Root Account: Use only for billing. Avoid using for other activities.
Power User Access: Allows all permissions except management of groups and users.

IAM Properties

Global Service: IAM is universal and does not apply to regions.
Eventual Consistency: Data is replicated across multiple data centers.

IAM Sign-In

URL Format:
Standard: https://My_AWS_Account_ID.signin.aws.amazon.com/console/
Alternative: https://console.aws.amazon.com/ (enter account ID or alias manually)

Integration and Compliance

Service Integration: Integrates with various AWS services.
Compliance: Supports PCI DSS compliance.

Programmatic Access

AWS SDKs: Recommended for API calls.
IAM Query API: Option for making direct calls to IAM web service.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
) instead.