# Identity and Access Management (IAM)

## What is IAM

* A web service that allows you to securely control access to your AWS resources.
  * Manage permissions that control which resources Users can access.

#### **Features**

* **IAM is eventually consistent**
  * Meaning that achieves high availability by replicating data across multiple servers around the world.
  * However these changes may take some time to replicate.
  * *AWS recommeds that IAM changes should not be included in critical, high-availability code paths of the application. And be sure to verify that the changes have been propagated before production workflows depend on them.*
* Shared access to your AWS account.
* **Granular permissions**.
* **Secure access to AWS resources** for applications that run on `Amazon EC2`.
* `Identity Federation` to grant permissions for users outside of AWS.
* Access log auditing using `CloudTrail`.
* Payment Card Industry (PCI) Data Security Standard (DSS) Complience.
* IAM is integrated with many AWS services [like](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html).
* Free to use.

## How it Works

### Initial Steps

1. *When you create an AWS account, you begin with one sign-in identity that has complete access to all AWS services and resources.*
   * This identity is called the AWS account `root user`.
   * *You can access it by the email and password provided when the account was created.*
   * **AWS strongly recommends that you don't use the `root user` for everyday tasks. (Use it only to perform tasks that only `root user` can perform** [**like**](https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-tasks.html)**)**
2. Use IAM to setup `IAM Users` in addition to the `root`, and grant them access to the resources they need to succeed in their tasks.
   * *These new users will use their sign-in credentials to authenticate.*

### Cycle

1. A human or application uses their sign-in credentials to authenticate with AWS.
   * *Authentication is provided by matching the sign-in credentials to a principal (`IAM User`, `Federated User`, `IAM Role`, or application).*
2. Next, a request is made to grant the principal access to resources.
   * E.g: When you firts sign in and are on the console Home page, you aren't accessing a specific service.
   * When you select a service, the request for authorization is sent to that service to see:
     * *if you are in the list of authorized users,*
     * *what policies are being enforced to control the level of access granted,*
     * *and any other policies that might be in effect.*

## IAM Common Terms

<figure><img src="https://4257107599-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FO7iF3qcu25MOrAYlRsn6%2Fuploads%2FxDIj0udJ1ezG7WdcXRUB%2Fiam-common-terms.png?alt=media&#x26;token=4720d4c9-0f2f-4938-9abc-0beae537cd16" alt=""><figcaption></figcaption></figure>

### Principals

* A person or application that uses the AWS account `root user`, an `IAM User`, or an `IAM Role` to sign-in and make requests to AWS.
  * *Can be granted either permanent or temporary crendentials.*
    * Typically `IAM Users` and `root user` are granted permanent.
    * While `IAM Roles` are granted temporary.
* Principals include `Feredated Users` and `assumed roles`.

### IAM Entity

* Are IAM Resources that AWS uses for authentication.
* Entities can be specified as a Principal in a resource-based policy.
* Includes:
  * `IAM Users`
  * `IAM Roles`

### IAM Identity

* Are IAM Resources that can be authorized in `policies` to perform actions and to access resources.
* Includes:
  * `IAM Users`
  * `IAM Groups`
  * `IAM Roles`

### IAM Resource

* Are stored in IAM, you can add, edit, and remove them from IAM.
* The number and size of IAM Resources in AWS are limited.

#### **`IAM User`**

* Represent the person or application accessing your account to interact with AWS.
* Consist of a **name** and **credentials**.
  * Are identified by:
    * A friendly name;
    * Amazon Resource Name (`ARN`);
      * `arn:aws:iam::account-ID-without-hyphens:user/Bill`
    * Unique identifier which is returned only when you use the `API`, `SDK`, `Tools for Windows Powershell`, or `AWS CLI` to create the user.
* Credentials can be assossiated to a user:
  * Console password.
  * Access keys. (access key ID and a secret access key)
  * SSH keys. (for use with `CodeCommit`)
* It is associated with one and only one AWS account.

#### **`IAM Group`**

<figure><img src="https://4257107599-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FO7iF3qcu25MOrAYlRsn6%2Fuploads%2FAcOXzF1hFoDa0IUnEsHw%2Fiam-groups.png?alt=media&#x26;token=92b79603-a861-4c16-9213-926b218be73a" alt=""><figcaption></figcaption></figure>

* Are collections of IAM users.
* Groups let you specify permissions for multiple users.
  * *Users assume the permissions of the group.*
* Users can belong to multiple groups.
* Groups cannot be nested, can only contain Users.

#### **`IAM Role`**

* It is an `IAM Identity` that you can create that **has specific permissions**.
* Roles are intended to be assumed by one or more Users or Applications.
* Does not have standard long-term credentials.
  * When you assume a Role, it provides you with **temporary** security credentials for your Role session.
* You can use Roles to delegate access to Users, applications, or services that don't normally have access to your AWS resources.
  * *E.g: Allow EC2 intances to access other AWS resources.*
  * Identity federation using:
    * AWS Cognito.
    * OAUTH.
    * Enterprise Single Sign On with LDAP or Active Directory.

#### **Identity Providers and Federation**

* If you already manage users outside of AWS, you can use `Identity Providers` instead of creating `IAM Users`.
  * *They can use `OpenID Connect (OIDC)`, or `SAML 2.0`.*
* Are `IAM Role` can be used to specify permissions for externally identified (federated) users.
* Max 5000 IAM users per account. Identity Federation enables unlimited temporary credentials.
* Can be identified by your organization or a third-party identity provider like:
  * [#amazon-cognito](#amazon-cognito "mention").
  * OAuth.
  * Enterprise Single Sign-On with LDAP or Active Directory.
    * [#directory-service](#directory-service "mention").

### Access Management

{% embed url="<https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html>" %}

* You manage access in AWS by creating `Policies` and attaching them to `IAM Identities` or `AWS Resources`.
* AWS checks each `Policy` that applies to the context of the request.
  * If a single `Policy` denies the request, AWS denies the entire request and stops evaluating policies. **(Explicit Deny)**
  * By default, all requests are implicitly **DENIED**.

**`Policy`**

* Are JSON documents in AWS that, when attached to an Identity or Resource, define their `Permissions`.
  * A Policy may have one or more `Permissions`.
* AWS evaluates these Policies when an `IAM Principal` makes a request.

**`Permission`**

* What determine whether the request is allowed or denied in `Policies`.

### AWS Organizations

<figure><img src="https://4257107599-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FO7iF3qcu25MOrAYlRsn6%2Fuploads%2FeP1QfmbyF8v0mWGeLn3N%2Faws-organizations.png?alt=media&#x26;token=667e7326-5125-4726-973c-d6ba74abe102" alt=""><figcaption></figcaption></figure>

* Allows multiple AWS accounts used by an organization to be part of an `Organization Unit (OU)`.
* `Service Control Policies (SCPs)` allow the whitelisting or blacklisting of services within an Organization Unit.
  * A blacklisted service will not be available even if the IAM user or group policy allows it.

#### **Benefits**

* Centrally manage policies across multiple AWS accounts.
* Control access to AWS services.
* Automate AWS account creation and management programatically with APIs.
* Consolidate billing across multiple AWS accounts.

## IAM Best Practices

* **Grant `Least Privilege` access.**
  * *Give people access only to the minimum that they need.*
* **Lock away** your AWS account **Root User Access Keys**.
* Require human users and *workloads* to use temporary credentials.
  * Rotate Credentials regularly.
* Require `Multi-Factor Authentication (MFA)`.
* Regularly review and remove unused users, roles, permission, policies and credentials.
* Monitor activity in your AWS Account. (eg. `CloudTrail`)
* Use conditions in `IAM Policies` for further restrict access.
* Use `IAM Access Analyser` to validate you `IAM Policies` and ensure functional permissions.
* Delegate by using `Roles` instead of by sharing credentials.