IAM (Identity and Access Management)

IAM (Identity and Access Management)

IAM is a part of security, it allows you manage users and their levels of access to the AWS console.
IAM (identity & access management) is where you manage your AWS users and their access to AWS accounts and services. The common usage of IAM is to manage.

What does IAM gives you:

-Centralised control of your AWS account.
-Share access to your AWS account.
-Granular permissions
-Identity federation (including AD, Facebook & linkedin etc)
-Multifactor authentication (MFA)
-Allows you to setup your own password rotation policy.
-Provide temporary access for users, devices if necessary.
-Integrate with many different AWS services.

IAM Terms:

Users:- end users (think people)
Groups:- A collection of users under one set of permissions
Roles:- You create roles and then assign them to AWS services.
Policies:- A document that defines one (or more permissions)

AWS Region, Availability zone and Edge location

Region (large geographical location)
Availaibilty zone (geographical seperated data centers under region)
Edge location (caching data centre)

Atleast 2 availability zones per region.
Each region is completely independent
Each availability zone is isolated, but the availability zones in a region are connected through low-latency links.

Note:

IAM doesn't require region selection.
IAM is a global service, whatever you created in IAM it will reflected in each & every region.

AWS root account:

When you login to first time to AWS with root account, a default user sign-in link created with https.
We can change the default link with "CUSTOMIZE" option. Default link name should be unique, and it will be created with AWS account number.
Ex:
https://<aws_12digit_number>.signin.aws.amazon.com/console

To whom the IAM give access?

-users
-groups
-roles
-identity providers
-customer managed policies

If we create a user in IAM, there are 2 ways to access AWS account:

1) user ID & password
2) access key & secret access key (CLI, SDK & API)

Note:
AWS will be automatically deleted the root access key for newly created users for securtiy reasons.
Best practices and AWS recommended is never create or generate a access keys for root account.

When a new AWS root accout is created it is best practices to complete the tasks listed in IAM under security status

Those tasks includes.

-delete your root access keys
-activate MFA on your root account
-create individual IAM users
-user groups to assign permissions
-apply an IAM password policy

what is MFA?

-MFA is an abbreviation for multi factor authentication.
-it is an additional layer of security on your account that provided by a 3rd party.
-and it takes the form of a continually changing r, random six digit code that you will need to input (in addition to your password) when logging into your root account.

How do i get the  code?

-A virtual MFA device
-A hardware MFA device

You need to install AWS compatible application on the users smartphone or PC or other device.
Virtual MFA is free (install GOOGLE authenticator)

Virtual MFA Device

-smartphone or tablet
-commonly used app (iOS & android) google authenticator

Hardware MFA

-small physical device with a display that you can attached to your keychain
-order it directly from AWS

Note: MFA multi factor authentication (2nd level password)

When you create an IAM user, it will asking 2 types access.

1) Programmatic access (access keys & secret access key) AWS cli, AWS API & SDK etc
2) AWS management console access

There are 2 types of console password.

-autogenerated password (AWS will create password in .csv format)
-custom password (user generated password)

Difference between region, available zone and edge locations?

Region:
large geographical location.

Availability zones:
Geograhical seperated data centers under region.

Edge location:
Caching data centre.