what is IAM?
AWS Identity and Access Management (IAM) is a service provided by AWS that lets you control access to your AWS resources.
IAM enables you to control
who can access your resources (authentication)
and in which ways (authorization).
What is an IAM Role?
An IAM role is an IAM identity that you can create in your AWS account and assign specific permissions.
What is an IAM Policy?
An IAM policy is a document with a set of rules. Each IAM policy grants a specific set of permissions.
Policies are attached to IAM identities like Users, Groups, and Roles. Each IAM policy has a unique name.
There are two types of policies in your AWS account:
These policies can be reused and attached to multiple entities. AWS provides a lot of managed policies by default. Customers can also create their own managed policies.
These policies are applied directly to IAM entities. However, these policies are not reusable and cannot be attached to multiple entities.
what are Policies?
IAM policies define permissions for an action regardless of the method that you use to perform the operation.
Identity-based policies – You can attach managed and inline policies to IAM identities (users, groups to which users belong, and roles).
Resource-based policies – You can attach inline policies to resources in some AWS services. The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies.
AWS RoboMaker does not support resource-based policies.
Organizations SCPs – You can use an AWS Organizations service control policy (SCP) to apply a permissions boundary to an AWS Organizations organization or organizational unit (OU). Those permissions are applied to all entities within the member accounts.
Access control lists (ACLs) – You can use ACLs to control what principals can access a resource.
ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure. AWS RoboMaker does not support ACLs.
These policies types can be categorized as permissions policies or permissions boundaries.
Permissions policies – You can attach permissions policies to a resource in AWS to define the permissions for that object. Within a single account, AWS evaluates all permissions policies together. Permissions policies are the most common policies. You can use the following policy types as permissions policies:
Identity-based policies – When you attach a managed or inline policy to an IAM user, group, or role, the policy defines the permissions for that entity.
Resource-based policies – When you attach a JSON policy document to a resource, you define the permissions for that resource. The service must support resource-based policies.
Access control lists (ACLs) – When you attach an ACL to a resource, you define a list of principals with permission to access that resource. The resource must support ACLs.
Permissions boundaries – You can use policies to define the permissions boundary for an entity (user or role). A permissions boundary controls the maximum permissions that an entity can have. Permissions boundaries are an advanced AWS feature. When more than one permissions boundaries applies to a request, AWS evaluates each permissions boundary separately. You can apply a permissions boundary in the following situations:
Organizations – You can use an AWS Organizations service control policy (SCP) to apply a permissions boundary to an AWS Organizations organization or organizational unit (OU).
IAM users or roles – You can use a managed policy for a user or role's permissions boundary. For more information, see Permissions Boundaries for IAM Entities in the IAM User Guide.
Authentication in IAM?
Authentication or identity management in AWS IAM consists of the following identities:
Users: An IAM user interacts with your AWS resources from the AWS console and the AWS CLI. By default, a new IAM user has no access to any AWS resource.
Groups: An IAM group consists of IAM users and permissions assigned to those users.
Roles: An IAM role is an entity with a specific set of permissions.
Authorization in IAM?
IAM Policies determine authorization or access management in IAM by granting specific permissions to various IAM identities.
what is IAM Roles vs. Policies?
IAM Roles manage who has access to your AWS resource, whereas IAM policies control their permissions.
without Role and without Policy we cannot access any AWS resource.
Therefore, you should IAM roles and policies together to manage the security of your AWS resources.