# Identity and Access Management (IAM)

* Stands for Identity and Access Management.
* Its a global service.

## Icon

![IAM Icon](https://icon.icepanel.io/AWS/svg/Security-Identity-Compliance/Identity-and-Access-Management.svg)

## Terminology

### User

* People/Application that uses the AWS resources.
* They can be grouped *(Group)*.

### Group

* A collection of user makes up Group.
* Groups can only contain users and cannot contain Group.
* A User can belong to multiple Groups.

## Policy

* Policy is a JSON Document which describes the permission required by a user/group to access them.
* Sample Policy Document

  ```json
      {
          "Version": "2012-10-17", //version
          "Id": "PolicyId", //Policy Id
          "Statement": [
          {
              "Sid": "AllowOrgsReadOnlyAndIamGetReport",
              "Effect": "Allow",
              "Action": [
                  "iam:GetOrganizationsAccessReport",
                  "organizations:Describe*",
                  "organizations:List*"
              ],
              "Resource": "*"
          },
          {
              "Sid": "AllowGenerateReportOnlyForThePolicy",
              "Effect": "Allow",
              "Action": "iam:GenerateOrganizationsAccessReport",
              "Resource": "*",
              "Condition": {
                  "StringEquals": {"iam:OrganizationsPolicyId": "p-policy123"}
              }
          }
      ]
      }
  ```
* In AWS *(or in any CPS)*, always apply [**Least Privilege Principle**](https://en.wikipedia.org/wiki/Principle_of_least_privilege) when giving access to resource.
* Policy structure:
  * `Policy Version`
  * `Policy Id`
  * `Statement`
    * `Statement Id` *(optional)*
    * `Effect` *(Allow Or Deny)* *(Mandatory)*
    * `Principal`, basically account to which this policy is applied.
    * `Action`, List of action/s which can be done using this policy. *(Mandatory)*
    * `Resource`, List of AWS resource to which the action/s can be applied. *(Mandatory)*
    * `Condition`, Conditions when this policy is applicable. *(optional)*
* Policy Inheritance is a concept where a user can inherit policies from multiple groups, if user belongs to multiple groups.
* Inline Policy, are policies that are directly applied to a user.

### Principal

* In IAM Policy, following can be the principal.
  * Account ![Account Principal](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-274247d2731d15f65e8d2df073b31c8a0051fa3a%2FAccount.png?alt=media)
  * Root User ![Root User Principal](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-225d7c8ff0377382ede441c834b084c8188b9ccd%2FRoot.png?alt=media)
  * IAM Roles ![IAM Roles Principal](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-2979dfbd4187495b1350ce1d7450318a5b8bf379%2FIAM_Roles.png?alt=media)
  * IAM Role Sessions ![IAM Roles Session Principal](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-b421f0c0353bdc3568387ef7937e1f72c58a4258%2FIAM_RoleSession.png?alt=media)
  * IAM User ![IAM User Principal](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-d080da5490d7df1c3bc2e04374dc6f02e93ed020%2FIAM_User.png?alt=media)
  * Federated User ![Federated User Principal](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-0103cd51464d34d58fe5e13c8e69d4290d0dbc96%2FFederatedUser.png?alt=media)
  * AWS Service ![AWS Service Principal](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-d029421beadb11cebf9fb37e0457d501aab11362%2FAWS_Service.png?alt=media)
  * All Principals ![All Principal](https://574639531-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FJDnjsv52I3fJ56WbLgHu%2Fuploads%2Fgit-blob-5eddc843e5bd52c740666cbc4d2136cd1d8f74fd%2FAll_Principals.png?alt=media)

## Roles

* When AWS service/s need to perform action/s on behalf of user, IAM Roles enables us to achieve that.
* Roles are assigned permissions policies.
* Taking on a role allows users/AWS services to perform a task on behalf of the user whose role is being assumed based on permission attached to a role.
* There are 5 types of roles
  * AWS Service
  * AWS Account
  * SAML
  * Web Identity
  * Custom Trust Policy

## References

* [All about policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html)
* [What is Principal in Policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html)