IAM is a free AWS service that grants account access to other users with only the necessary permissions (principle of least privilege).
IAM information is globally available (i.e. available across regions) and globally resilient (i.e. can withstand simultaneous incidents in multiple regions). IAM has the capabilities of the full account since account trusts IAM’s database fully.
Account Quota
- 5000 IAM user per account (all regions combined)
- IAM users can be member to 10 groups max. If you need to go beyond, roles and identity federation are more appropriate.
Types of IAM identities:
- user: humans/applications
- group: collection of related users (e.g. dev, HR)
- role: used for uncertain number of entities, like services (e.g. we can have a role that lets all EC2 instances to access S3), or configure external access to account.
IAM Functionalities
- IAM is an identity provider (IdP)
- IAM authenticates users.
- IAM authorize access to resources via policies.
- Allows identity federation (e.g. existing Active Directory, social logins like Google, etc).
Signing in
IAM user sign-in have specific IAM sign-in URL available on
IAM dashboard -> AWS Account -> Sign-in URL for IAM users in this account. Account owner can set a globally unique account alias above the URL so that the URL is human-readable and easier to remember.