IAM(Identity and Access Management) Service:
- IAM is an AWS service which sets the permission to users in order to access the right services.
- IAM allows access to database,storage, virtual machines etc.
- IAM deals with four terms as Users, Groups, Policies, Roles.
- It works on the group level,even individual level, we can control it over web console and programmatic way(like CLI).
There are four components in IAM services:
Root user can add “n” number of users and that users are called IAM users. IAM Users have credentials to make API calls in order to communicate with AWS services or resources.
- Root user is able to invoke the IAM services through AWS console or CLI to add/modify/delete users.
- In the above diagram, IAM users have been added and they can access the aws services by different URL shared by root users.
- When IAM users are trying to access the services, they may face “access denied” issues because root users did not provide any access like IAM policies to the mentioned users.
A collection of IAM users is called IAM Group. Group can be assigned to certain permission to access services or resources, all the users inside the group inherit the same permission.
In the above diagram, authorized user can create the group and assigned to group to IAM users and whatever permission group has, inherited to the IAM users automatically.
Collection of permissions which can be assigned to individual users,groups and role called the IAM policies.
Here IAM policy,collection of permissions can be attached to the group and individual users as well.
Defined set of permission that can be attached to EC2 instance, IAM users, groups and used for delegating the IAM users.
Here we can see , Roles can be created from IAM services that can be attached to EC2 instances and IAM users. IAM policy can be attached to Roles.
Few Interview Questions:
Question-1 What is the difference between Roles and Policies ?
- IAM Roles can be attached to EC2 instances but IAM Policies can’t.
- IAM roles can be used for delegation for the users. For example- If partner account user need to access my account resources, share the required roles to the user to access the resources.
Question-2- How CLI can access the services available in AWS?
Answer:Services are exposed as a REST API , CLI should be authenticated to the services using private keys and authentic keys.
Question-3- Should IAM users access console.amazon.com url?
Answer: No, IAM users access the assigned services or roles through different URL given by root user.
We will see the demo of IAM services in the next blog .
That’s all I have and thanks a lot for reading. Please let me know if any corrections/suggestions. Please do share and comments if you like the post. Thanks in advance… 😉