Identity & Access Management [IAM]
WHAT IS IT? [Identity and Access Management/ Google Cloud Identity and Access Management]
IAM allows you to manage users and their level of access to the AWS console. It enables you to set up users, groups, permissions and roles. You can grant access to different parts of the AWS platform - with very strict boundaries. It’s great for providing granular permissions down to an individual user getting access to one service and not another.
IAM is central to any cloud provider, from giving developers access to resources to push updates in the pipeline into production or giving auditors access to inspect your work. IAM is a global service - its resources are managed at the AWS account level, not just specific regions or AZs.
Ultimately, IAM is how resources in the cloud speak to each other, how you audit them, and how you control access to your users to work within. And that means getting IAM right has implications not just for the security team, but for everyone involved.
WHAT’S THE FUSS?
AWS IAM is a bespoke system, one of the first made, to handle the authentication & authorisation challenges of a massively distributed cloud environment. So even though it’s foundational to the success of your AWS deployment, devs often have to learn it from scratch. You should always set up multi-factor authentication (MFA) on root accounts and customise password rotations. But if you’re a little bravado when using identity federation, one compromised account could end up leading to a breach across your entire AWS footprint. And “long-lived” access and secret keys are easy to provision for users, but if those leaks then you could assume there’s an interested party in breaking in and assuming your rights!
Ultimately, there’s no subsitute for a careful plan when it comes to laying out an IAM strategy. Infrastructure as code, federated identities, and properly restrictive policies aren’t simple defaults to implement - but they’ll go a long way towards ensuring that your systems have exactly the access they need.
