IAM Identities (users, user groups, and roles) (part 2)

 




To read part 1, please click here




When to Create an IAM User (Instead of a Role)

You need not to create an IAM user every time you need credentials as it's just an identity with specific permissions in your account, while you can simply take advantage of the IAM roles and their temporary security credentials without using them for a long-term basis.

You created an AWS account and you are the only person who works in your account.

Although you can easily work with AWS using root user credentials for your AWS account, it's not recommended. You should create your own IAM user and use its credentials whenever you work with AWS.

Other people in your user group need to work in your AWS account, and your user group is using no other identity mechanism.

You have to create IAM users for all the individuals that requires access to your AWS resources and assign them appropriate permissions along with their own credentials. You should never share credentials among multiple users.

When to Create an IAM Role (Instead of a User)

It can be done in following situations:

You are creating an application that runs on an Amazon Elastic Compute Cloud (EC2) instance and that application makes requests to AWS

Here, creation of an IAM user is not required, instead IAM role can attached to the EC2 instance to offer temporary security credentials to the applications running on the instance. The policies attached to the role will allow the application to run all the permitted operations via these credentials in AWS.

You are creating an app that runs on a mobile phone and that makes requests to AWS.

Here also, an identity provider like Login with Amazon, Amazon Cognito, Facebook, or Google is used to authenticate as well as map the users to an IAM role. The app can also get temporary security credentials having specified permissions by the role's attached policies. 

Users in your company are authenticated in your corporate network and want to be able to use AWS without having to sign in again - i.e., you want to allow users to federate into AWS.

A federation relationship can be configured between your enterprise identity system and AWS, which can be done in these ways:
  1. Trust can be established between your company's identity system and AWS, if it's compatible with SAML 2.0.
  2. A custom proxy server can also be created to translate user identities from the enterprise into IAM roles that provides temporary AWS security credentials.

IAM Users

An AWS IAM user is an entity consisting of name and credentials, which is created in AWS to represent the person or application that uses it to interact with AWS. However, an IAM user with administrator permissions is not the same as the AWS account root user. 








To read part 1, please click here































Comments

Popular posts from this blog

Deployment (Part 3)

Project Resourcing (Part 2)

Design Planning (Part 3)