What is AWS IAM? – Workflow, Components, & Features
Did you know that AWS IAM provides security to your AWS resources while also working on low-cost operations? It is a web service that securely controls access to AWS resources. It allows you to make and control services for user authentication to a specific set of people with the right to use those AWS resources.
It also provides features like password rotation and multi-factor authentication, making it a more reliable and secure service. Plus, it removes the requirement to buy any on-campus infrastructure.
Most organizations use it due to its scalability and flexibility. It helps streamline permissions and user management across various applications and accounts. In this blog, we will learn about IAM in AWS, its features, components, and more. So, let’s begin.
AWS IAM: An Overview
AWS IAM provides access control and security features to your AWS accounts and resources. IAM stands for Identity and Access Management. It is a free service in AWS supporting identity federation for advanced security procedures. It helps you specify who can have access to a particular AWS service.
IAM also manages potential identity theft and enables you to create better protection for the services. It can create various usernames and passwords for groups and individuals to help you closely monitor the provided access.
Why Do People Choose AWS IAM?
Various reasons make AWS IAM popular for most Amazon Web Services users. The following are some of them:
| Factors | Functions |
| Security | It works on the least privilege security model, which permits you the minimum access required to perform a task. |
| Compliance | It provides features like audit trails and access loggings to help with the standards and requirements of industries. |
| Integration | It integrates with various AWS services, which makes accessing multiple services and resources easy. |
| Centralized Access Control | It allows the creation and management of groups and roles for all the permissions, known as centralized access control. |
| Granular Permission Control | It allows you to grant granular permission, ensuring that only the approved people can access the services. |
Workflow of AWS IAM
There are six integral elements involved in its workflow. They are as follows:
Principal
A principal can be anyone in AWS IAM, from a user to an application. Its role is to perform actions on the AWS resources.
Authentication
In this process, it is defined that the principal is trying to seek access to the service. It involves credential verification before access is allowed.
Request
A request is permission that the principal needs to initiate access to AWS services and resources.
Authorization
This process involves the cross-checking of policy requests. The request is authorized if it matches the policy; otherwise, access to the service is denied.
Action
This comes into use after the authorization procedure is complete. The resources are created, viewed, and edited with this element.
Resources
It is a compiled set of action elements that can be used on an AWS resource or service.
Components of AWS IAM
The following are the components of AWS IAM.
Users
The user is actually the principal, i.e., it can be any entity that has credentials to access a service or resource. It enables all the users authorized in the system to manage resources by assigning unique AWS user names. Each username is associated with a single AWS account, making the process of assigning permissions to each user easier.
Groups
Groups reduce the administrative burden as they are easier to handle when compared to handling every user individually. The permissions applied to the group allow automatic access to all the group participants. You can add users to the group, allowing them access to multiple resources.
Policies
The AWS IAM policies are a set of permissions that have the control to provide access to AWS resources. They specify who can have access and what actions they can perform with the resources. There are two types of policies, inline policy, and managed policy. They work on the essential four W’s, which signify who can have access, what actions they can perform, which AWS resource they can access, and when they can access it.
Roles
This is a set of permissions that have the control to allow or deny the actions performed by an entity. It is quite similar to the user component as it can be accessed by any type of entity, be it the user or a service. The permissions provided by roles are temporary credentials. In simple terms, if you want to provide a service to someone, you may give temporary access to your account to that third party by using the roles component.
Features of AWS IAM
The following points explain the features of IAM in detail:
- Shared Access: The users can share access to their AWS account. Unique usernames and passwords can be created to provide access to all the services. It allows them to share resources when they are collaborating on a project.
- Multifactor Authentication: AWS IAM provides the user with multifactor authentication to access the AWS Management Console. You will need to enter a username, password, and a security check code to log in.
- Permissions Restrictions: AWS IAM is also used to give permissions to certain services to the user and restrict access to other services. It is seen more often in organizations where access or permissions are granted based on the job roles or departments.
- Temporary Access: It provides temporary access and permissions when necessary. For example, a mobile application is granted permission for a limited time and the data is accessible only for that particular time period.
- No-Added Cost: AWS IAM feature is free to use with your AWS account. There are no additional charges for using it.
- Identity Federation: The identity federation is a system of trust between two parties to for user authentication and providing access to resources to these users. It allows the user to log in to the AWS console with their LinkedIn, Active Directory, Facebook, etc. credentials.
- Centralized Control: The user can control all the permissions and access from one place. They can control the creation, cancellation, and rotation of the security credentials of each user.
- Integration: AWS IAM is integrated with other AWS services such as AWS Account Management, AWS Amplify, Amazon API Gateway, etc.
You can learn more about the features and components of AWS IAM through this comprehensive AWS course.
Advantages & Disadvantages of AWS IAM
The table below explains the advantages and disadvantages of AWS IAM.
| Advantages | Disadvantages |
| It offers consistent management of centralized access to all the services. | It is complex to operate and might require time to set up and get used to. |
| It provides various security features. | The users need training as it has a steep learning curve. |
| It provides flexible features to create customized roles. | It lacks support because of limited resources. |
| It is cost-effective as it allows users access to the services. | It can ask for additional costs on a few services it offers. |
| It helps track change by providing audit trials. | It is quite critical to work with. Errors may affect the environment of AWS. |
IAM Roles
IAM roles are a set of permissions that are granted to provide access to resources and actions. It is not uniquely associated with a single person and can be used by anyone. When a user uses a role, a set of temporary security credentials is created for it. Since the roles do not have long-term security credentials, they are used to delegate access to those users, services, or applications who generally do not have access to AWS resources.
The essential components of IAM roles are:
- Trust Policy: It specifies which trusted account members can assume the role. It is a document based on the IAM Policy Language and is written in JSON format.
- Permission Policy: It is a document written in JSON format and specifies actions and resources once it is assumed.
The following use the IAM roles:
- AWS user from the same AWS account.
- AWS users from a different AWS account.
- An application or service offered by AWS.
- AWS accounts owned by third-party.
A role can be created using the AWS management console, the Tools for Windows PowerShell, the IAM API, or the AWS CLI.
Conclusion
AWS IAM is a web service that allows you to govern access to AWS services safely. You can use IAM to create and manage users, groups, and permissions for AWS services and resources. It also allows you to securely control access to AWS resources and services, assisting you in protecting your sensitive data, applications, and infrastructure.
If you’re planning to start a career in the field of AWS, you can read this blog on detailed AWS interview questions, covering basic, intermediate, and advanced level AWS questions.
