AWS Identity and Access Management (IAM), IAM identities refer to the entities that you create and manage within your AWS account to control access to AWS services and resources. IAM identities are used to define who can access AWS resources and what actions they can perform. The main types of IAM identities include users, groups, roles, and policies. Here’s a detailed explanation of each:
1. IAM Users
- Definition: An IAM user is an entity that you create in AWS to represent an individual person or service that interacts with AWS resources. An IAM user is associated with long-term credentials like a username, password, and access keys.
- Use Cases:
- Assigning specific permissions to individual users.
- Creating users for employees, applications, or services that need access to AWS resources.
- Attributes:
- Username: The unique identifier for the user within the AWS account.
- Password: Used for console access (web-based interface).
- Access Keys: Consist of an access key ID and a secret access key, used for programmatic access via AWS CLI, SDKs, or APIs.
- Permissions: IAM users can have permissions attached directly to them or inherit permissions from groups they belong to.
2. IAM Groups
- Definition: An IAM group is a collection of IAM users. Groups are primarily used to simplify permission management by grouping users who need similar permissions.
- Use Cases:
- Managing permissions for multiple users at once.
- Organizing users by role or department (e.g., Admins, Developers, Read-Only Users).
- Attributes:
- Group Name: The unique identifier for the group within the AWS account.
- Permissions: Groups do not have credentials themselves. Instead, they have policies attached to them, which are inherited by all users in the group.
3. IAM Roles
- Definition: An IAM role is an identity that you can create in your AWS account with specific permissions. Unlike users, roles do not have long-term credentials (password or access keys). Instead, a role is intended to be assumed by trusted entities, which are granted temporary security credentials to interact with AWS resources.
- Use Cases:
- Granting temporary access to AWS resources to users, applications, or services.
- Enabling cross-account access (e.g., allowing a role in one account to access resources in another account).
- Assigning permissions to AWS services (e.g., an EC2 instance assuming a role to access S3).
- Attributes:
- Role Name: The unique identifier for the role within the AWS account.
- Trust Policy: Defines which entities (users, services, or accounts) are allowed to assume the role.
- Permissions: Roles have permissions attached via policies, defining what actions the entity assuming the role can perform.
4. IAM Policies
- Definition: IAM policies are JSON documents that define permissions. Policies are attached to IAM users, groups, or roles to specify what actions they can perform on which AWS resources.
- Use Cases:
- Defining granular permissions for access control.
- Applying consistent permission sets across multiple identities (users, groups, or roles).
- Attributes:
- Policy Name: The unique identifier for the policy within the AWS account.
- Policy Document: The JSON document that contains one or more statements defining the allowed or denied actions.
- Types of Policies:
- Managed Policies: Predefined policies provided by AWS or custom policies created by you that can be attached to multiple identities.
- Inline Policies: Policies that are directly embedded within a specific user, group, or role, and cannot be reused.
5. IAM Identity Providers (IdPs)
- Definition: IAM identity providers are entities that allow you to configure and manage federated access to your AWS account using external identity systems. This includes integrating with services like SAML 2.0 IdPs, OpenID Connect (OIDC) providers, or AWS Cognito.
- Use Cases:
- Enabling single sign-on (SSO) for users to access AWS using corporate credentials managed by an external IdP.
- Allowing users from social identity providers or custom IdPs to access AWS resources.
- Attributes:
- Identity Provider Name: The unique identifier for the identity provider within the AWS account.
- Federation Type: Specifies the type of IdP, such as SAML, OIDC, or Web Identity.
- Permissions: When a federated user signs in, they assume an IAM role that defines their permissions.
6. Service-Linked Roles
- Definition: Service-linked roles are predefined roles that are linked to AWS services. These roles allow AWS services to manage resources in your account on your behalf.
- Use Cases:
- Granting specific AWS services permissions to perform actions within your account, such as managing EC2 instances, RDS databases, or other resources.
- Attributes:
- Service-Linked Role Name: The unique identifier for the service-linked role within the AWS account.
- Service Association: Each service-linked role is associated with a specific AWS service.
- Permissions: The permissions for service-linked roles are predefined and cannot be modified. They are automatically updated as needed by the associated AWS service.