AWS User Access
AWS Tutorial: Identity and Access Management (IAM)
Welcome to the AWS IAM lesson. IAM is the bouncer of the AWS cloud. It strictly controls who can log in, and exactly what they are allowed to do once they are inside.
Why Learn AWS IAM?
IAM is arguably the most critical service in AWS. If you give a developer full administrative access and their laptop gets stolen, the hacker can delete your entire company's infrastructure. Enforcing the "Principle of Least Privilege" using IAM is mandatory.
Tutorial Overview
In this tutorial, you will learn the core concepts of IAM:
- Users & Groups
- Policies
- IAM Roles
Core IAM Concepts
- IAM Users: Represents a specific person (e.g., John) or an application. Users log in with a username and password, or Access Keys.
- IAM Groups: A collection of IAM users (e.g., "Developers", "HR"). You can apply a permission policy to the whole group, and all users inside it inherit those permissions.
- IAM Policies: JSON documents that define permissions (e.g., "Allow reading from S3"). You attach these to Users, Groups, or Roles. By default, AWS explicitly denies all access until a policy grants it.
- IAM Roles: Similar to a User, but it does not have permanent passwords. Instead, a Role provides temporary security credentials. Roles are meant to be "assumed" by trusted entities, such as an EC2 instance that needs temporary permission to write to an S3 database.
Exercise
?What IAM entity should you use to grant an EC2 instance temporary permissions to access an Amazon S3 bucket securely?