AWS Identity and Access Management (IAM) is the most widely used AWS service. Amazon Web Services (AWS) offers high level data protection when compared to an on-premises environment, at a lower cost. It enables secure control access to AWS resources and services for the customers. Customers can create and manage AWS users as well as groups, […]
What are IAM features?
IAM features includes the following:
Multi Factor Authentication
Customers can add two-factor authentication to their account and to individual customers (users) for extra security.
- With MFA customers or their users must provide not only a password or access key to work with user account, but also a code from a specially configured device.
- By using the Multi-factor authentication customers can easily add the two-factor authentication not only for their account but also for the individual users for more security.
- AWS Identity and Access Management (IAM) lets customers manage several types of long-term security credentials for IAM users using the following
- Passwords:- Used to sign in to secure AWS pages, such as the AWS Management Console and the AWS Discussion Forums.
- Access keys:- Used to make programmatic calls to AWS from the AWS APIs, AWS CLI, AWS SDKs, or AWS Tools for Windows PowerShell.
- Amazon CloudFront key pairs:- Used for CloudFront to create signed URLs.
- SSH public keys:- Used to authenticate to AWS CodeCommit repositories.
- X.509 certificates:- Used to make secure SOAP-protocol requests to some AWS services.
Manage federated users and their permissions :–
- Customers can enable identity federation to allow existing identities (users, groups, and roles) in their enterprise to access the AWS Management Console, call AWS APIs, and access resources, without the need to create an IAM user for each identity.
- Access and Federation :– User can grant other people permission to administer and use resources in your AWS account without having to share your password or access key.
- AWS offers multiple options for federating customers identities in AWS. One of them being AWS Identity and Access Management (IAM) which enable users to sign in to their AWS accounts with their existing given credentials.
Manage IAM users
AWS clients can grant other people permission to administer and use resources in their AWS account without having to share their password or access key. They can also create users in IAM, assign them individual security credentials (such as access keys, passwords, and multi-factor authentication devices), or request temporary security credentials to provide users access to AWS services and resources. You can manage permissions in order to control which operations a user can perform. IAM users can be:
- Privileged administrators who need console access to manage your AWS resources.
- End users who need access to content in AWS.
- Systems that need privileges to programmatically access your data in AWS.
Securing Application Access
AWS Identity and Access Management (IAM) helps customers control access and permissions to thier AWS services and resources, including compute instances and storage buckets. they also can use IAM features to securely give applications that run on EC2 instances the credentials that they need in order to access other AWS resources, like
- S3 buckets and RDS
- DynamoDB databases.
The AWS Security Token Service (STS)
IAM roles allow customers to delegate access to users or services that normally don’t have access to their organization’s AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. In other word AWS customers don’t have to share long-term credentials or define permissions for each entity that requires access to a resource. Using the AWS Security Token Service (STS), that is a web service that enables customers to request temporary, limited-privilege credentials for IAM users or for users that they authenticate (federated users).
- Customers do not have to distribute or embed long-term AWS security credentials with an application.
- Customers can provide access to their AWS resources to users without having to define an AWS identity for them.
- The temporary security credentials have a limited lifetime.
- After temporary security credentials expire, they cannot be reused.
- AWS STS are features of customers AWS account offered at no additional charge. However customers will bare that are charged they access other AWS services using your IAM users or AWS STS temporary security credentials.
Granular permission enables customers to grant the permissions for different according to their resources. Customers can give the whole access to AWS services, while limiting the other users to read-only access along with the administrator EC2 instances in order to access the process of billing information. These services include;
- Amazon Elastic Compute Cloud (Amazon EC2).
- Amazon Simple Storage Service (Amazon S3).
- Amazon DynamoDB, Amazon Redshift.
- For other users, customers can allow
- Read-only access to just some S3 buckets,
- Permission to administer just some EC2 instances, or
- Access to customer billing information but nothing else.
- IAM also enables customers to add specific conditions such as time of day to control how a user can use AWS,
- Their originating IP address, whether they are using SSL, or
- Whether customers have authenticated with a multi-factor authentication device.