Understanding AWS IAM

This post goes over the basics of IAM. It's not a comprehensive guide, but if you're a bit confused when you look at the AWS Console - it's a good place to start.

There are four core concepts to know with AWS IAM:

• Users
• Groups
• Policies
• Roles

Users

A user is a specific person or account that you are creating on AWS that will have access to some AWS resources. Which resources they have access to depends on the policies that are assigned to that user.

A user is intended to be used for a person only, though you can use a user to represent automated services, there's generally better ways to do it.

A user has two methods for accessing AWS Resources, both of which are optional:

• They can log in to the AWS Console (web page), with their username and password
• They can access the AWS command line interface (CLI) with their access key and secret: a username-password style combination that exists just for the command line or API.
  • AWS_ACCESS_KEY_ID - The "username" for the CLI
  • AWS_SECRET_ACCESS_KEY, The "password" for the CLI

Groups

Groups in AWS are just groups of Users. For example, you can put all the front-end developers in one group, all the back-end developers in another, and all the administrators in one.

The benefit of groups is that it allows you to assign permissions to the group, not individual users. Assigning policies to individual users can be done, and it works as a start, but when your organization gets big enough, it can become unmanageable quite quickly. It's also not too great to do from a security perspective.