Get startedGet started for free

Identity and Access Management (IAM)

1. Identity and Access Management (IAM)

In this lesson, we will deep-dive into Identity and Access Management or IAM for short.

2. Why IAM?

Why does IAM matter? IAM helps grant permissions and makes access and authorization management simpler. Let's take an example. This is Dee - a new data scientist in the sales department of a large corporation in North America. She needs access to a number of systems and databases to do her job. She needs a combination of read-only and read-write access on different resources. There are few other employees joining on the same day and everyone has different access requirements. IAM makes it easier to grant these permissions based on group membership.

3. Who, what, and where?

Let's talk about the "who", "what", and "where" of IAM. Let's first look at the "who" part of IAM. IAM doesn't only set permissions for users; permissions can also be granted to computing resources such as a server. Permissions granted to machines are called "roles". The term "principal" is used to describe both users and roles . The authorization part of IAM make up the "what" and the "where". Policies are text documents and specify authorized principals and resources. Finally, AWS Organizations make up the "where" part of IAM. In the "where" part, organizational units like "production", "development", or "test" can be defined.

4. Users vs. Roles

Let's dig a bit deeper into users versus roles. The difference between users and roles is that users have long-term credentials while roles use short-term credentials. You can create a collection of users as a user group, but roles cannot be grouped. Roles are often assigned to servers which retrieve credentials dynamically from AWS STS. This eliminates the need to store credentials on server. Users also have ability the assume another role. For user account security, it is recommended to enforce multi-factor authentication (MFA) for all users.

5. Policy

Let's now look at policies in more detail. An IAM policy specifies which actions can be performed on a resource. In the example in this image, the policy allows all actions to be performed on a single bucket called 'awesome-datacamp-user'. Once a policy is attached to an identity - which can be a user or a role - that identity can perform actions specified on the resource.

6. Identity Center

Let's talk about one final tool related to IAM: the IAM Identity Center. The IAM Identity Center can create or connect workforce users and centrally manage their access to all of their AWS accounts and applications. You can either create new user accounts or connect existing work accounts such as Office 365 using single sign-on. Access can be granted to multiple AWS accounts which are part of the same organization or external to the organization.

7. Let's practice!

Time to put what you've learned about IAM into practice!

Create Your Free Account

or

By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.