After setting up an AWS account(also known as a Root account) it's very important to set up an IAM and MFA. So let get started.
IAM stands for Identity and Access Management-->is a place where you manage AWS users, groups, and roles and their access to AWS accounts and resources. And you can also grant permissions for users outside of AWS( federated users).
So below is the architecture diagram of IAM created by me
So, To create an IAM user Go to IAM-->user-->ADD user. Enter all the details. By default, an IAM User--> for example Raj does NOT have access to any AWS services. To use them a policy granting allow access has to be applied to Raj.
Now, this brings a question what is the IAM group and Policy?
IAM group-This allows us to assign IAM permission policies to more than one user at a time.
IAM Policy-A policy is a document that formally states one or more permissions.
So now let's give Raj administrator access this can be done by creating a group or directly assigning a user with the administrator access as shown in the below screenshot.
So now you must be wondering if I have multiple users, for example- Rani, Jon, Dan again I would need to follow the above step. This would be very hectic this is where a group comes into play. We have can create a group for example admin-access-group and add multiple users to that group and assign IAM permission policies to that group. Now all the multiple users will have administrator access.
So that's great. Now we can have multiple users with the same policy applied to them in a group.
Now, what is IAM Roles? As per AWS definition:-
An IAM role is an IAM entity that defines a set of permissions for making AWS service requests.
In the context of our Figure, "entities" that can assume a role include AWS resources (such as an EC2 instance). Roles must be used because policies cannot be directly attached to AWS services. For example, if you are using an EC2 instance and it needs to access an S3 bucket. The instance should assume a role from IAM with the proper required permissions(S3 read-only). Then Instance can then perform actions based on the role it assumes(read from S3) . An EC2 instance can only have ONE role attached at a time.
So now what is an MFA? As per AWS definition:-
AWS multi-factor authentication (AWS MFA) provides an extra level of security that you can apply to your AWS environment. You can enable AWS MFA for your AWS account and for individual AWS Identity and Access Management (IAM) users you create under your account.
To setup, a MFA follow the below step
Go to IAM--> Enable MFA, for this you will need to download MFA software application eg-Google authenticator or Microsoft authenticator or you can use a MFA device.
So I have downloaded Google authenticator, so now just scan the QR code and enter the Authentication Code 1 and 2.Thats it just click on finish, MFA is set up on the account.
Thank you.