AWS Identity and Access Management

Identity and access management forms the foundation of AWS security. It's essential to securely manage identities and access to AWS services and resources, ensuring that only authorized users and systems can access your resources.

Core Principle: Least Privilege

The principle of least privilege dictates that you should only give people and systems access to what they need and nothing else. In AWS, by default, all actions are denied. You must explicitly grant permission to someone before they can perform any actions in your account.

AWS Account Root User

All AWS accounts are given an AWS account root user. The root user is the account owner and has permission to do anything inside the AWS account. You should associate a strong password with this powerful account and turn on multi-factor authentication (MFA), which requires at least two verification methods to log in. To handle daily tasks, you should create other IAM identities rather than using the root user.

IAM Identities

IAM Users

An IAM user represents a person or application that interacts with AWS services and resources. It consists of a name and credentials. AWS recommends creating individual IAM users for each person who needs to access the AWS account, so they have their own unique set of security credentials.

IAM Groups

An IAM group is a collection of IAM users. When you assign permissions to a group, all users in the group inherit the permissions. For example, you might assign standard access permissions to a group called employees so all your employees receive the same generic access.

IAM Roles

An IAM role is an identity you can assume to gain temporary access to permissions. For example, an employee might need to work as a barista in the morning and a cashier in the afternoon. When someone assumes an IAM role, they abandon all previous permissions they had under a previous role and assume the permissions of the new role.

IAM Policies

An IAM policy is a JSON document that allows or denies permission to access AWS services and resources. IAM policies can also define the level of access to resources. For example, you can allow employees to access all the Amazon S3 buckets in your AWS account or only a specific bucket.

Identity Management Services

Service Name	Logo	Key Attributes	Use Cases
AWS IAM		- Fine-grained access control. - Users, groups, roles, and policies. - Multi-factor authentication support.	- Managing user access to AWS resources. - Service-to-service authentication. - Temporary credential management.
AWS IAM Identity Center		- Centralized identity management. - Single sign-on (SSO) capabilities. - Federated identity management.	- Workforce identity management. - Multi-account access management. - Integration with external identity providers.
AWS Secrets Manager		- Automated secrets rotation. - Secure credential storage. - Integration with AWS services.	- Database credential management. - API key storage and rotation. - Application secrets management.

Identity Management Best Practices

Use Individual Accounts: Create individual IAM users for each person rather than sharing credentials, ensuring accountability and easier access management.

Enable MFA: Add an extra layer of security by requiring multi-factor authentication for sensitive operations and privileged users.

Regular Access Reviews: Periodically review and audit user permissions to ensure they still align with business needs and remove unnecessary access.

Use Roles for Applications: Use IAM roles instead of long-term credentials for applications and services running on AWS.

Monitor Access Patterns: Use AWS CloudTrail to monitor and log all API calls and access patterns to detect unusual activity.

Effective identity and access management ensures that your AWS resources are protected while enabling your users and applications to access what they need to be productive. The combination of proper identity management, strong authentication, and fine-grained authorization controls creates a robust security foundation for your AWS environment.