Amazon web service is a platform that provide cloud services follow the request of individuals, companies or organizations on a pay-as-needed basis. Today, AWS has become one of the best cloud services provider. I start researching about the basic services of AWS for developer so from now I will make a series blogs about the services that i will have learnt. At first sections, I will share my knowledge about AWS – IAM (Identity and Access Management)

I. What is IAM?

– IAM aka Identity and Access Management is a service of AWS allow us to securely and efficiently manage and control user access to AWS resources.

– IAM is the center of AWS. All AWS services must go through AIM to control permissions.

– By default, AWS recommend not to use root account direclty for access., but through an user account created by IAM to be able to login, access and use AWS resources.

– The security of AWS is included in 4 components: Users, Groups, Role and Policies

Each created user must have a clear and appropriate permission

Policies are written in JSON format


II. The components of IAM


1. Users

By default, after we create an AWS account, this account will be root user and have highest permission for your AWS systems. With this user, you can make more users and give permission for each one with each specific purpose

The users except root user have the following characteristics:

  • New user will not have any permission right after created
  • Each user will be provided Access Key ID and Secret Access Key for access and use resources of AWS, but they can not use for login to AWS console
  • Access Key ID and Secret Access Key will only show 1 time after created an user, if you forgot it, you have to create a new user. So you should save it. Normally, AWS will provide us a credential.csv contains user information so we can save it easily
  • We can create Password Rotation Policy – Force to change password after a certain period of time.

2. Groups

In cases that we want to  add more than 1 user with the same permissions, we can combine them into a collection and set the permission for this collection. The collections for these users is call the group.

  • A group can have one or many users
  • All users in a groups can be is inherited the permissions of this group
  • A user can join multiple groups. Maximum is 10 groups for 1 user
  • A group have an ID and its call Group ARNGroup Amazon Resource Name

3. Roles

IAM is the center of AWS, each services from AWS is independent in order to ensure separating tasks and more secure operations. Roles is the what we need to make our services connect, transfer, communicate, exchange data, resources together safety and securely as well as continuous communication.

4. Policies

Finally, the smallest element, specifies detailed access to a certain element. Policies will be applied to objects such as users, groups, and roles when they perform a certain task in relation to their authority.

Policies are described clearly as JSON or YAML and AWS defines six types of policies:

  • Identity base policy: assigns authentication to users, groups or roles
  • Resource base policy: Assigns the right to use a resource, an example is the S3 bucket policy.
  • Permission boudaries: defining the maximum permissions to assign to the object instead of defining the authority.
  • Organization SCPs: uses the AWS Organization control service to define the maximum authority of an account in the Organization or an OU unit. The SCP restricts the rights that the Identity base policy or Resource base policy assigns to the entity (user or roles) in the account, and does not define authority.
  • Access Control List (ACL): Similar to Resource base policy but not in JSON format.
  • Session Policy: Used when using AWS CLI or API. This policy restricts the authority to create sessions, not assign permissions.

Here is an example about Policy


 <code class="language">    {
      "Version": "2012-10-17",
      "Statement": [
          "Sid": "Stmt1571666184581",
          "Action": [
          "Effect": "Allow",
          "Resource": "arn:aws:elasticbeanstalk:ap-southeast-1:1234567:application/staging",
          "Condition": {
            "DateGreaterThan": {
              "aws:CurrentTime": "2019/10/18"

Version: Version of the policy. We should use the latest version in order to ensure that every feature is supported. If you dont define this, the oldest version will be used.

Statement: Every policy will have at least a statement, and statement use to assign which action can executes and which resource is accessible. Statement include:

  • Sid: (statement ID) is a unique string for identity statement
  • Effect: Is required and assign actions is allowed/denied
  • Action: List the actions you want to perform.(ec2:CreateImage, ec2:CreateNetworkAcl…)
  • Principal: is users/roles/groups that is allowed or denied access to AWS resources
  • Resource: Assign the resources of AWS can apply the actions above
  • Condition: Specify the conditions that must be followed when applying the policy

III. Conclude

 As i mentioned above, IAM is the center of AWS, it manages to access and usages resources of AWS continuously and securely, so it’s very important to learn about IAM before use other AWS services.

Hope this article is of help to you. I will continue to share more in the next articles.

More information about IAM can be found on the AWS document website:

This entry was posted in Chưa được phân loại. Bookmark the permalink.
Verified by ExactMetrics