AWS Identity and Access Management (IAM) is a web service that lets you securely manage who (authentication) has access to what resources and what actions they are allowed to perform on the resources (authorisation).
With IAM, you can grant granule permissions to different users, groups or roles by attaching policies to them. E.g. giving user John full control of EC2 instances but only granting the Developers group read-only access to a production S3 bucket or allowing the financial department to assume a role with full access to billing information for auditing purposes. Policies can be attached to groups so the permissions are shared by multiple users, known as standalone policy, or they can be attached to users and roles directly as inline policy. You can use both Amazon-managed policies or create your user-managed policies.
You can use both allow
and deny
rules in a policy. deny
rules always take precedence (most restrictive). IAM implements the least-privilege principle, which means users don’t have access to any resources when first created. Permissions need to be granted explicitly.
The security settings of IAM users can be managed centrally in IAM, including passwords, access keys and MFA devices. You can also manage permissions for federated users with passwords with other identity providers.