Learning Center
Cloud

Introduction to AWS Identity and Access Management (IAM)

4 Apr 2025
Hostman Team
Hostman Team

The AWS Identity and Access Management (IAM) toolset includes access configuration for cloud services, specifying under what conditions it is granted. This functionality is available to all users at no additional cost, but registration with AWS and initial login with credentials are required.

Identity Management refers to managing all accounts registered in a cloud service, regardless of the provider. However, in the context of using Amazon resources, IAM is more commonly applied. Companies like Gartner, KuppingerCole, and Forrester divide IAM into two areas: User Administration and Provisioning (UAP) and Identity and Access Governance (IAG).

The first represents a combination of administrative technologies and analytics, serving as the "foundation" of IAM. The second module includes comprehensive software tools for identity verification, access rights provisioning, and efficient and secure access management. A full-fledged IAM system must incorporate both elements.

How It Works
Copy link

AWS IAM policies allow resource tenants to manage permissions for employees and systems, granting necessary privileges on a cloud server. For example, staff can be granted access only during work hours, and permission lists can be configured separately within each access setting. By default, IAM blocks access to prevent unauthorized connections.

Key Features:

  • Security control tools ensure information security, which is crucial even for small businesses.
  • A compromised employee account does not lead to a system-wide breach since the attacker gains access only to limited resources.
  • Lifecycle automation for passwords and their groups, incident logging, and detailed report generation assist in management.
  • The system prevents unauthorized or excessive access to sensitive databases containing personal and corporate information that may be valuable to competitors. This approach nearly equates cloud resources to local, restricted-access environments.

Use Cases
Copy link

A typical example of IAM implementation is when enterprises use centralized information repositories containing files strictly for internal use, including documents designated for specific job roles. Allowing unrestricted access could result in employees copying data to local storage and distributing it widely.

Access control is managed by creating rules defining the connection type and actions allowed for a specific account. For instance, you can grant access to certain APIs for automated interaction with AWS IAM services or define a list of resources accessible to a particular user.

Examples:

  • IAM Access Analyzer – Implements the "principle of least privilege," where permissions are granted only as needed.
  • AWS Organizations – Uses SCP (Service Control Policy) to assign uniform roles within an organization or specific departments.
  • ABAC (Attribute-Based Access Control) – Provides detailed attribute sets to precisely determine permissions based on an employee’s job role.

IAM systems offer a simple yet effective solution for deploying corporate IT infrastructures. Similar functionality is available at Hostman. Cloud security is fundamental to its popularity, as businesses must entrust commercial information to external resources.

Differences Between IAM Security Elements
Copy link

When configuring AWS IAM tools, it is important to understand the differences between users, groups, and roles. While all these elements are created and managed within IAM, their security policies differ.

  • Users: An IAM user is an account that grants an individual access to AWS resources. Depending on the settings, users can either view or administer these resources.
  • Groups: Instead of assigning permissions individually, you can use groups, especially when multiple users share the same functionality. Predefined roles allow you to add new users to a group with automatically assigned permissions.
  • Roles: Roles function similarly to groups but are not linked to specific users. Instead, they are assigned dynamically to running instances. This approach enhances security by allowing temporary permissions without storing access keys on local devices. You can modify permissions for each session.

IAM Users
Copy link

When the first IAM account is created, it automatically receives administrator rights and access to the entire environment. However, using this account for daily operations is not recommended. Instead, create a new account with the required privileges for specific tasks. If multiple users require similar access, grouping them is advisable. Delete unused accounts to prevent former employees from accessing them.

User Creation:

  1. Navigate to or search for IAM.
  2. In the IAM Dashboard, select Users → Create user.
  3. Enter a username (up to 64 characters).
  4. Check the Provide AWS Management Console access box.
  5. Check I want to create an IAM user.
  6. Click Next.
  7. Select Add user to group or Apply policies directly, depending on your requirements.
  8. Click Create user.

IAM Groups
Copy link

Using group-based permission settings for AWS IAM resources is considered best practice. When an administrator changes roles or other settings, these modifications apply to all users in the group simultaneously. Users can also be transferred between groups if they switch departments.

Group Creation:

  1. Select Groups Create New Group.
  2. Enter a group name and proceed.
  3. Select the required permissions.
  4. Click Create.

Note that AWS IAM has a limit of 100 groups. After creating a group, assign users to it:

  1. Select the group and click Add Users to Group.
  2. Choose users and click Add Users.
  3. The summary will display the users now part of the group.

IAM Roles
Copy link

Roles differ from users as they are assigned to instances like EC2 rather than specific individuals. When using API calls with roles, IAM does not require access keys, significantly enhancing security by preventing external resources from accessing local storage.

Role Creation:

  1. Go to IAM Service → Roles.
  2. Select Create New Role → Enter the role name.
  3. Define necessary configurations and save changes.

Once an instance is launched, you cannot modify its role without stopping it first. Depending on the situation, it may be better to create an AMI (Amazon Machine Image) of the existing instance and use it to launch a new one with the updated role.

Conclusion
Copy link

AWS IAM provides highly flexible security settings. It is essential not to limit usage to basic functions but to leverage all available features, including groups and roles. Multi-Factor Authentication (MFA) adds an additional security layer, enabling automatic activation on mobile devices without requiring a username and password input.

Don't forget to check our virtual private servers.