This content is part of the Essential Guide: How to deal with Identity and access management systems

How do AWS IAM permissions manage resource access?

We use AWS Identity and Access Management for cloud security, but aren't sure how roles, permissions and policies differ in a cloud security strategy. How do they protect resources?

Authentication is critical in the public cloud -- where services and data are accessed at a global scale. Properly managing user access within public cloud services like those from AWS takes careful planning.

AWS uses its Identity and Access Management service to enable IT administrators to create user identities, organize users into groups and assign AWS IAM permissions to access to resources and services. Developers access IAM features through web, command-line or API tools. The IAM console is a web portal and most administrators routinely manage IAM through a browser window.

Developers access IAM features through web, command-line or API tools.

The AWS Command Line Interface (CLI) offers more granular control over IAM management activity, allowing administrators to deploy scripts to speed repetitive IAM tasks while reducing errors and ensuring consistency. AWS also supports IAM access through APIs and software developer kits (SDKs), which give in-house or third-party tools access IAM features programmatically. For example, an enterprise mobile application might incorporate an SDK so that the app can securely interface with a workload or data in AWS.

IAM can handle several different types of credentials to authenticate users, including AWS access key, SSH key, X.509 certificate, passwords or a multifactor authentication (MFA) device. Which credentials you use depends on which technology is accessing the services; end users can hold more than one type of credential.

AWS end users typically access services with a username and password through the AWS console on a daily basis. An in-house developer uses an AWS access key to make secure calls through the API or SDK, while external users are assigned temporary X.509 certificates. For highly secure usage, an MFA device is used for additional authentication. IT professionals rarely use SSH keys, generally only using them to access AWS CodeCommit repositories.

Amazon Web Services security quiz

Test your knowledge of Amazon Web Services security best practices with this 10-question security quiz.

By default, users, groups and roles do not have AWS IAM permissions, as those must be assigned. AWS IAM permissions are granted through IAM policies. IT teams share policies in the form of documents, which are attached to users and groups. A set of commonly used AWS IAM permissions, called AWS managed policies, includes features like read-only access for a Simple Storage Service instance. Administrators can create custom policies that are then attached to users, groups and roles using the AWS Management Console, IAM API or the AWS CLI.

AWS' policy generator tool helps create new policies in the appropriate syntax. IT teams can use the policy simulator tool to ensure that new or adjusted policies have the proper effect on users, groups and roles. It allows admins to correct problems or unexpected consequences before placing new policies into production.

Next Steps

IAM roles protect AWS resources

Put users into access groups to save management time

Four gaffes that can compromise your AWS cloud

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality