Identity Access Management, or IAM, is one of the most important services in AWS because it allows you to control exactly who and what accesses anything in your AWS infrastructure.
- [Instructor] By now, you've probably surmised that it's not the best idea to provide unrestricted access to your IT resources to everyone in your organization, but is there an easy way to provide extremely granular access permission to every user and service, but at the same time make them easy to manage? Thankfully, AWS has a service called Identity Access Management, commonly referred to as IAM, which helps you do just that. Identity and Access Management, or IAM, is a free service provided by AWS that enables you to manage access to the services and resources on the AWS Cloud. You can create and manage users and groups as well as set permissions to allow or deny access to various resources. The permissions are global, which means that the access you set for a user or group will be true for all regions in AWS Cloud. When providing access to users and services, you should follow the principle of least privilege. There are a few ways you can set permissions for various services or users to access your AWS resources. You can use IAM to manage users, manage roles, and manage federated users. The first way you can set access is by using IAM to manage users. You can create users in IAM and assign them individual security credentials. These users have very granular permission sets, so you can control which operations a user can perform, and on which specific services. A user could be administrators that need console access to manage the AWS Cloud account, and users who need to access content in the AWS Cloud account, or systems that need the ability to programmatically access data in the AWS Cloud account. Programmatic access means that applications are directly accessing resources in the AWS Cloud, as opposed to humans doing the same activity. Another way to set access is to manage IAM roles. You can create roles to manage permissions and control what these roles can do in your AWS instance. An entity assumes a role and can obtain a set of temporary security credentials to make API calls to your AWS resources. This could be used to provide access to a user from another AWS account access to your AWS account, such as when an organization has separate development and production environments. The last way to set access is to manage federated users. By enabling identity federation, you can allow existing identities in your enterprise to access your AWS Cloud instance without having to create an IAM user for each user. You can use any identity management solution that supports SAML 2.0, or use one of AWS's federation samples. You've probably experienced identity federation in action when you signed up for an online service using your Facebook or Gmail account. In a corporate setting, you could have your Microsoft Active Directory users have federated access to your AWS Cloud instance using identity federation. Some benefits of IAM are enhanced security, granular control, ability to provide temporary credentials, flexible security credential management, ability to leverage external identity systems using federated access, and seamlessly integrating various AWS services within the AWS Cloud infrastructure.
Note: This course also maps to the Security module of the AWS Certified Cloud Practitioner exam. Taking all four courses in the Introduction to AWS for Non-Engineers series will help you prepare for the exam.