{"id":174739,"date":"2023-12-03T20:07:58","date_gmt":"2023-12-03T19:07:58","guid":{"rendered":"https:\/\/liora.io\/en\/?p=174739"},"modified":"2026-02-06T08:43:21","modified_gmt":"2026-02-06T07:43:21","slug":"aws-identity-access-management-iam-how-does-it-work","status":"publish","type":"post","link":"https:\/\/liora.io\/en\/aws-identity-access-management-iam-how-does-it-work","title":{"rendered":"AWS Identity Access Management (IAM): how does it work?"},"content":{"rendered":"<h3>What is Amazon IAM?<\/h3>\t\t\n\t\t<p><strong>AWS Identity and Access Management (IAM)<\/strong> is AWS&#8217;s identity and access management service. When you use any <a href=\"https:\/\/liora.io\/en\/amazon-web-services-aws-unveiling-the-power-of-the-amazon-cloud\">Amazon AWS service<\/a>, whether it&#8217;s web hosting,<a href=\"https:\/\/liora.io\/en\/why-kubernetes-has-become-an-indispensable-tool-in-data-science\"> Kubernetes clusters<\/a>, virtual machines, etc., you will automatically go through an authentication phase, during which the <strong>IAM service<\/strong> will grant you varying levels of access based on the permissions that have been assigned to you.<\/p>\t\t\n\t\t\t<h3>The different IAM entities<\/h3>\t\t\n\t\t<p><strong>IAM<\/strong> has several entities that allow you to fine-tune access to different resources:<\/p>\t\t\n\t\t\t<style type=\"text\/css\">\n.tg  {border-collapse:collapse;border-spacing:0;}\n.tg td{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n  overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg th{border-color:black;border-style:solid;border-width:1px;font-family:Arial, sans-serif;font-size:14px;\n  font-weight:normal;overflow:hidden;padding:10px 5px;word-break:normal;}\n.tg .tg-yj5y{background-color:#efefef;border-color:inherit;text-align:center;vertical-align:top}\n.tg .tg-9bmy{background-color:#9b9b9b;border-color:inherit;font-family:Arial, Helvetica, sans-serif !important;font-size:20px;\n  font-weight:bold;text-align:center;vertical-align:top}\n.tg .tg-0pky{border-color:inherit;text-align:left;vertical-align:top}\n<\/style>\n<table>\n<thead>\n  <tr>\n    <th>Entity<\/th>\n    <th>Description<\/th>\n    <th>When to Use<\/th>\n  <\/tr>\n<\/thead>\n<tbody>\n  <tr>\n    <td rowspan=\"2\">User<br><img decoding=\"async\" src=\"https:\/\/liora.io\/app\/uploads\/2023\/03\/image4-1.png\" alt=\"Image\" width=\"50\" height=\"50\"><\/td>\n    <td rowspan=\"2\">Every person needing access to your AWS resources should have a user account. Permissions are then defined through access policies.<\/td>\n    <td rowspan=\"2\">Grant specific access to individuals for certain tasks.<\/td>\n  <\/tr>\n  <tr>\n  <\/tr>\n  <tr>\n    <td>Groups<br><img decoding=\"async\" src=\"https:\/\/liora.io\/app\/uploads\/2023\/03\/image1-2.png\" alt=\"Image\" width=\"50\" height=\"50\"><\/td>\n    <td>This is a set of users with common permissions. Users can be added or removed as needed.<\/td>\n    <td>Grant common permissions to a group of user accounts.<\/td>\n  <\/tr>\n  <tr>\n    <td>Roles<br><img decoding=\"async\" src=\"https:\/\/liora.io\/app\/uploads\/2023\/03\/image7-1.png\" alt=\"Image\" width=\"50\" height=\"50\"><\/td>\n    <td>Roles are used to temporarily grant permissions to users or AWS resources.<\/td>\n    <td>Use roles when you need to temporarily grant permissions to users or resources.<\/td>\n  <\/tr>\n  <tr>\n    <td>Access Policy<br><img decoding=\"async\" src=\"https:\/\/liora.io\/app\/uploads\/2023\/03\/image3-1.png\" alt=\"Image\" width=\"50\" height=\"80\"><\/td>\n    <td>A Json document defining permissions for one or more IAM entities. These policies determine the actions users can perform on resources and the conditions under which these actions can be performed.<\/td>\n    <td>Use access policies to define granular permissions for each IAM entity in your AWS account.<\/td>\n  <\/tr>\n  <tr>\n    <td>Credentials Report<br><img decoding=\"async\" src=\"https:\/\/liora.io\/app\/uploads\/2023\/03\/image6-1.png\" alt=\"Image\" width=\"50\" height=\"55\"><\/td>\n    <td>A report providing information on different authentications and authorizations in your IAM account.<\/td>\n    <td>Audit and monitor user access and detect security anomalies.<\/td>\n  <\/tr>\n  <tr>\n    <td>Identity Provider<br><img decoding=\"async\" src=\"https:\/\/liora.io\/app\/uploads\/2023\/03\/image5-1.png\" alt=\"Image\" width=\"50\" height=\"50\"><\/td>\n    <td>A third-party service to provide authentication to your resources via other providers (Google, Facebook, Cognito, etc.)<\/td>\n    <td>Authenticate through a third-party service rather than AWS credentials.<\/td>\n  <\/tr>\n<\/tbody>\n<\/table>\t\t\n\t\t\t<h3>How does IAM work?<\/h3>\t\t\n\t\t<p><strong>AWS IAM<\/strong> is fully compatible with most <a href=\"https:\/\/liora.io\/en\/choosing-the-right-cloud-provider-aws-vs-azure-vs-gcp-unveiled\">AWS compute,<\/a> container, storage, database and other cloud offerings. However, AWS IAM is not fully compatible with all platform offerings, so it&#8217;s best to check compatibility before implementing the service.<\/p><p>The <strong>IAM infrastructure<\/strong> is illustrated in the following diagram:<\/p>\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t<figure>\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/liora.io\/app\/uploads\/2023\/03\/infrastructure-IAM.jpg\" title=\"\" alt=\"\" loading=\"lazy\">\t\t\t\t\t\t\t\t\t\t\t<figcaption><\/figcaption>\n\t\t\t\t\t\t\t\t\t\t<\/figure>\n\t\t<p><strong>Explanation:<\/strong> A principal (human user or application making a request to use <a href=\"https:\/\/liora.io\/en\/aws-courses-and-certifications-how-does-it-work-the-complete-guide\">AWS resources<\/a>) uses its credentials to authenticate itself. A request is made to grant access to the principal. Access is granted by means of an authorization request. Once authorized, the principal is able to perform actions or operations on<a href=\"https:\/\/liora.io\/en\/aws-certification-what-is-it-and-how-do-i-get-it\"> your AWS account.<\/a><\/p>\t\t\n\t\t\t<h3>A few best practices<\/h3>\t\t\n\t\t<p>\u2705 Never use the root user to perform routine tasks.<\/p><p>\u2705Human users must use temporary credentials to access AWS resources. You can use an identity provider for these users to assign them a role that will provide temporary credentials.<\/p><p>\u2705Use <strong>multi-factor authentication (MFA)<\/strong> for users and roles.<\/p><p>\u2705Provide regular access key rotation for uses requiring long-lasting credentials.<\/p><p>\u2705To grant the necessary permissions for a specific task, it is advisable to use minimal access policies based on the desired activity. IAM Access Analyzer will enable you to generate and audit these policies.<\/p><p>\u2705Regularly review users, accounts, roles, and security policies, and delete those that have become obsolete, or are unused.<\/p>\t\t\n\t\t\t<h3>Conclusion<\/h3>\t\t\n\t\t<p>In conclusion, IAM lets you manage identities and access to an AWS account. This service enables you to control resource access authorizations, audit resource use and manage security policies. In this way, your users can enjoy a high level of security, while benefiting from the flexibility and scalability offered by AWS.<\/p>\t\t\n\t\t\t\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex is-content-justification-center\"><div class=\"wp-block-button \"><a class=\"wp-block-button__link wp-element-button \" href=\"\/en\/courses\/cloud-dev\/aws-solutions-architect\">Discover AWS training<\/a><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>What is Amazon IAM? AWS Identity and Access Management (IAM) is AWS&#8217;s identity and access management service. When you use any Amazon AWS service, whether it&#8217;s web hosting, Kubernetes clusters, virtual machines, etc., you will automatically go through an authentication phase, during which the IAM service will grant you varying levels of access based on [&hellip;]<\/p>\n","protected":false},"author":76,"featured_media":174743,"comment_status":"open","ping_status":"open","sticky":false,"template":"elementor_theme","format":"standard","meta":{"_acf_changed":false,"editor_notices":[],"footnotes":""},"categories":[2426],"class_list":["post-174739","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"acf":[],"_links":{"self":[{"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/posts\/174739","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/users\/76"}],"replies":[{"embeddable":true,"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/comments?post=174739"}],"version-history":[{"count":1,"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/posts\/174739\/revisions"}],"predecessor-version":[{"id":206194,"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/posts\/174739\/revisions\/206194"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/media\/174743"}],"wp:attachment":[{"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/media?parent=174739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/liora.io\/en\/wp-json\/wp\/v2\/categories?post=174739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}