Let's start from basic: What's is AWS IAM?
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
What does exactly IAM provide:
- Shared access to your AWS account
- Granular permissions
- Secure access to AWS resources for applications that run on Amazon EC2
- Multi-factor authentication (MFA)
- Identity federation
- Identity information for assurance
- PCI DSS Compliance (debatable, IMHO)
- Integrated with many AWS services
- Eventually Consistent
- Free to use
Do all AWS services work with IAM?
Not exactly: Here the list:
IAM currently supports the following authorization models:
- Role-based access control (RBAC). RBAC defines permissions based on a person's job function, known outside of AWS as a role.
- Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes. In AWS, these attributes are called tags. Tags can be attached to IAM principals (users or roles) and to AWS resources.
AWS IAM principals:
- User
- Roles
- Groups