Managing permissions to your Cloud | Intro to Identity and Access Management | IAM

Lots of companies run their applications & store data in Cloud. Employees and customers of a company would also interact with the Cloud. Setting up rules and regulations around who can do what is critical.

The question

  • Who — deals with identifying the person. The username/password combination is one of the most popular ways to identify a person. Smartphones have taken it up a notch by using fingerprints and scanning faces. To call a REST endpoint, one can use an Access Key or API Key. All of these different solutions are part of an Authentication framework or Identity Management.

Combine both of the concepts together, and you get Authentication and Authorization or Identity and Access Management (IAM). Here is a list of some of the popular IAM tools (from Gartner’s market review)

  • Okta SSO — Auth0

Important Terminologies

Assume that person-X is trying to create/delete/access a Virtual Machine. Cloud Provider would check the permissions using the IAM component to find out, “Should person-X create/delete/access a Virtual Machine?”. In this example,

  • Person-X is known as a Principal

In the case of IAM, permissions are created. Example of permissions:

  • Create/delete/access a VM with specific configuration

These permissions can be grouped into a policy which can be attached to a user.

What if person-X needs ten people to work on a project? Instead of attaching a policy for each user, one can

  • create a user-group for person-X’s team


It is essential to take time while defining permissions. One should ideally follow the principle of least privilege, which states that a user should be given the least amount of permissions. Add more permissions later on if needed.

Identity and Access Management in AWS

In the case of AWS, IAM is a dedicated module. One can define policies and permissions using IAM.

A screenshot of sample permissions from AWS Console

IAM can also assist with

  • Onboarding a user
A screenshot of the user creation screen from the AWS console

Consider the following scenario: user-X is part of group-A and group-B.

  • Group-A has a policy that allows create a VM action & access a database

What would you do if user-X wants to create a VM, access database, and create a subnet?

As one policy allows VM creation, but the other does not. When user-X tries to create a VM, the action should be denied. User-X should be able to access a database. As none of the policies linked to User-X states anything for create a subnet action, it should be denied. IAM follows the same logic.

  • deny an action if any policy linked to a user has a deny permission

In this post, we looked at lots of different key concepts, such as

  • Authentication, Authorization







DevOps Engineer and a part time investor | feel free to reach out to me | LinkedIn —

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store