IAM (Identity and Access Management) is covered by the "Security, Identity & Compliance" service of AWS (Amazon Web Services). It allows us to manage access to AWS services and resources securely. With IAM we can create and manage AWS users, groups, roles and use permissions to allow or deny their access to AWS resources.
IAM comes with " no extra charge" and we are charged only for other AWS services used by us.
AWS IAM helps us to:
- Manage users and their access:
We can create users in IAM, assign them individual security information. We can manage permissions to control which operations a user can perform and which ones are not.
- Managing Roles and Their Permissions:
We can create roles in IAM and manage permissions to control which operations can be performed by the unit, or AWS service, which take the role.
- Managing federated users and their privileges:
We can enable identity federations to allow existing users, groups, and roles in our company to access AWS Management
To understand the IAM service in more detail, you can refer to AWS documentation.
In this article we will see how to create an IAM user, group, IAM role, assign permissions, and create custom policies.
Note: IAM does not belong to a particular region and extends over the entire AWS account.
- AWS Account ( Create if you do not have one.]
What we will do
- Log in to AWS.
- Create an IAM user.
- Create an IAM group and add users to it
- Create an IAM role
- Create an IAM policy
Log in to AWS
- Click here [1
When we click on the above link we will see a web page as follows where we are required to log in using our login information.
When once we are logged in to AWS we will see the main console with all services listed as follows.
Creating an IAM user
An (IAM) user is a device that we create on AWS for to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and ch references.
Click " Services " in the upper left corner and you will see a screen with all the service. Spot " IAM " under " Security, Identity & Compliance " and click on " IAM "
You will see a dashboard. This is the IAM website. Click " User " from the left panel.
Click " Add User " to create a new user.
Name the user to create. We can create a user with two different access types.
- Programmatic Access:
We can perform the operation on AWS account from AWS API, CLI, SDK and other development tools with this access type.
- AWS Management Console Access:
This access type allows a user to log in to the AWS Management Console.
In this article we will create a user who has " AWS Management Console access ".  When you click " AWS Management Console access " you will be given a field to assign a password to the user.
We can either have " Autogenerated password " or " Custom password ". Here we select " Custom password " and assign the user a password. the requirement we can force a user to change the password at the next login. Keep it as is. Click " Next: Permission " to continue and assign the permissions.
 On the next screen, click " Attach Existing Policies Directly " and search for " readonlyaccess " and select the check box that appears on the following screen. With " ReadOnlyAccess " the user will not be able to create any of the AWS resources. You can go through the list of permissions to understand them. Click " Next: Tag " to continue.
Tag assignment is optional but helps to organize, track, or control access for this user. Click " Next: Review " to continue and create a user.
Review the configuration and click " Create user " to create a user.
Click " Download .csv " containing " Console Login Link ". If you create a user with " Programmatic Access ", this file is very important because it would contain " Access Key ID " and " Secret Access Key " required get access. Now you can click " Close " when we have created our first user.
Creating an IAM role
An IAM role is an IAM identity that we can create in our AWS account that has specific privileges. It is similar to an IAM user with an authorization policy that determines what the identity can and cannot do in AWS. The IAM role allows AWS services to perform actions on our behalf.
On the IAM website, click " Roles " in the left panel. Click " Create Role ".
In this article we will create a role for Lambda Service. Click " Lambda " and click " Next: Permission .
Search the search box for" ec2readonlyaccess " and check the " AmazonEC2ReadyOnlyAccess " checkbox. This gives " readonly " access to the Lambda function on EC2 Service. Click " Next: Tags ".
Adding tags is optional but can be used to organize, track, or control access for this role. Click " Next: Review " to continue.
Name the role, add a description and click " Create role " This creates a role that allows Lambda functions to call AWS services on your behalf with " ReadOnlyAccess " on " EC2 " service.
Create an IAM Group
An IAM group is a collection of IAM users We can set permissions for multiple users using role, which can make it easier to manage the permissions of these users.
On the IAM website, click on " Groups " on the left panel. Click " Create New Group ".
Enter a name and click " Next Step" .
Search for " readonlyaccess ", scroll to the bottom and select SEK Click the " Next Step ".
Review the configuration and click " Create Group ".
Now we have a group with " ReadOnlyAccess ", which means that users belonging to this group only have " Read-Only " access to AWS Resources / Services.
Go back to the IAM website and select the group we just created. Click " Add user to group " to add our user to this group.
Select the user we created in the previous step and click " Add user ". This will add our user to the group we created with " ReadOnlyAccess ".
Creating an IAM policy
An IAM policy is a device associated with an identity or resource to define their permissions.
On the IAM website, click " Policies " in the left panel. Click " Create Policy ".
Click " Service " to select a service for which the policy must be created. Search for a service in the search box and select the service.
You get a list of permissions that can be assigned, here you select " List ". Click " Review Policy ".
Name the policy and click " Create Policy ". This policy can now be assigned to a user to only grant " List " permissions for EC2 Service. We can follow the same steps we followed to attach a policy while creating a user to attach this policy.
In this article we created a user, a role and attached a policy to them, created a group and added a user to it, created a custom policy which can be added to the user.