- Expands to Identity and Access Management
- IAM provides a one-stop platform for control of AWS account
- It has a global perspective and implementation as users, groups, policies under IAM are accessible across regions and not regional IAM
- SSO can be implemented under Identity Federation by SAML
- Has provision for temporary access
- IAM important terms
- Resources – Objects stored in IAM are resources. They can be added, edited or removed as per need. Resources includes
- User
- Group
- Role
- Policy
- identity provider
- Identities – It is a reference for IAM resources and, applied for identification or grouping of IAM resources. Policy association is needed for IAM identity. Identity includes
- Users
- Groups
- roles
- Entities – IAM resources used for authentication. It includes
- users
- roles – can be assumed by IAM users, in another account or federated by web identity or SAML.
- Principals – Refer to
- Person/application using AWS account as root user
- an IAM user
- IAM role which can sign in or make requests to AWS.
- Resources – Objects stored in IAM are resources. They can be added, edited or removed as per need. Resources includes
- Terms used
- User — an end user (like…a person)
- Groups — refers to set of users linked to a specific permissions
- Policies — a document that defines permissions (which you assign to users, groups, and roles)
- Roles — this has nothing to do with the users in account. Roles are for granting permissions to resources, like an EC2 instance (it can do other cool stuff too)