Identity and Access Management, known as IAM, is one of the key services within AWS. It controls access to the AWS API endpoints that are used by the console UI, command line tools, and any applications wanting to utilize AWS. Identity and Access Management (IAM) is the primary service that handles authentication and authorization within AWS environments.
IAM controls access to AWS service via policies that can be attached to users, groups and roles. Users are given long-term credentials to access AWS resource (username and password or access keys).
Roles allow for short-term access to resources when assumed, using temporary access credentials.
IAM policies are JSON documents that either allow or deny access to combinations of actions and resources. An IAM policy (policy document) is known as an identity policy when attached to an identity or a resource policy when attached to a resource. They have no effect until they are attached to something.
A policy document is a list of statements.
Each statement matches a request to AWS. Requests are matched based on their Action(or actions), which are the API calls or operations being attempted and the Resource (or resources) the request is against. A given statement results in an Allow or Deny for the request.
IAM Policy - Exam Tips
Use Managed Policies to control the base level permissions and for customization use in-line permissions as needed.
IAM users are a type of IAM identity suitable for long-term access for a known entity (human, service, application)
Principals authenticate to IAM users either with a username and password or using access keys.
Exam Facts and Figures:
IAM groups allow for large-scale management of IAM users. This way, policies can be applied to groups and impact collections of similar users.
Exam Facts and Figures:
Access keys consist of access key IDs and secret access keys. The access key ID is the public part of the key and is stored by AWS once generated. The secret access key is the sensitive and private part of the access key available only once when the access key is initally generated. It is stored only the owner of the key and should never be revealed.
Access keys are the long-term credentials used to authenticate to AWS for anything but the console UI.
AWS Organizations is useful for businesses that need to manage multiple accounts. It provides the following features: