AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely.

Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.

Identity and Access Management Terms

IAM Resources

The user, group, role, policy, and identity provider objects that are stored in IAM. As with other AWS services, you can add, edit, and remove resources from IAM.

IAM Identities

The IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

IAM Entities

The IAM resource objects that AWS uses for authentication. These include users and roles. Roles can be assumed by IAM users and roles in your or another account. They can also be assumed by users federated through a web identity or SAML.

IAM Principals

A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.

Request

When a principal tries to use the AWS Management Console, the AWS API, or the AWS CLI, that principal sends a request to AWS. The request includes the following information:

  • Actions or operations – The actions or operations that the principal wants to perform. This can be an action in the AWS Management Console, or an operation in the AWS CLI or AWS API.
  • Resources – The AWS resource object upon which the actions or operations are performed.
  • Principal – The person or application that used an entity (user or role) to send the request. Information about the principal includes the policies that are associated with the entity that the principal used to sign in.
  • Environment data – Information about the IP address, user agent, SSL enabled status, or the time of day.
  • Resource data – Data related to the resource that is being requested. This can include information such as a DynamoDB table name or a tag on an Amazon EC2 instance.

AWS gathers the request information into a request context, which is used to authenticate and authorize the request.

Authentication & Authorization

On AWS, authentication and authorization are primarily handled by Identity and Access Management (IAM).

A principal must be authenticated (signed in to AWS) using their credentials to send a request to AWS.

During authorization, AWS uses values from the request context to check for policies that apply to the request. It then uses the policies to determine whether to allow or deny the request.

Actions & AWS Resources

After your request has been authenticated and authorized, AWS approves the actions in your request.

After AWS approves the actions in your request, they can be performed on the related resources within your account.

Summary

The IAM root user that’s automatically enabled on a new AWS account should ideally be locked down and not used for day-to-day account operations.

Instead, you should give individual users the precise permissions they’ll need to perform their jobs. All user accounts should be protected by strong passwords, multi-factor authentication, and the use of encryption certificates and access keys for resource access.

Once authenticated, a user can be authorized to access a defined set of AWS resources using IAM policies.

It’s a good practice to associate users with overlapping access needs into IAM groups, where their permissions can be centrally and easily updated.

Users can also be assigned temporary IAM roles to give them the access they need, when they need it.

Access keys should be regularly audited to ensure that unused keys are deleted and active keys are rotated at set intervals.

Identities (including users, groups, and roles) can be authenticated using a number of AWS services, including Cognito, Managed Microsoft AD, and single sign-on.

Authentication secrets are managed by services such as AWS Key Management Service (KMS), AWS Secrets Manager, and AWS CloudHSM.