What is the difference between IAM users vs IAM roles?
I am a cloud administrator for a company that uses AWS for its Infrastructure. Recently there have been several incidents where access management has been inefficient which is leading to both over-privileged users and unnecessary security risk. My question is what is the difference between IAM users and IAM roles in the context of accessing the management?
In the context of AWS, here are the key differences given:-
IAM USERS
This particular permanent entity with long-term credentials is suitable for ongoing needs. This is a permanent entity that is created to represent an individual or service needs for consistent, long-term access to your AWS resources. The IAM users have the king terms credentials such as the password for AWS management console access and access keys for API, CLI, SDK, and other development tools access. The permissions are directly assigned to the users via policies. These permissions are very persistent and remain until explicitly changed or even revoked. It is very much suitable for users or services that require consistent access to AWS resources. Here is the example given of how you can create the IAM users and attach a policy:-
Import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
Import software.amazon.awssdk.regions.Region;
Import software.amazon.awssdk.services.iam.IamClient;
Import software.amazon.awssdk.services.iam.model.AttachUserPolicyRequest;
Import software.amazon.awssdk.services.iam.model.CreateUserRequest;
Import software.amazon.awssdk.services.iam.model.CreateUserResponse;
Import software.amazon.awssdk.services.iam.model.IamException;Public class CreateIamUser {
Public static void main(String[] args) {
// Create an IamClient instance
IamClient iamClient = IamClient.builder() .region(Region.AWS_GLOBAL) .credentialsProvider(ProfileCredentialsProvider.create())
.build();
// Define the user name
String userName = “JohnDoe”;
// Create the user
createUser(iamClient, userName);
// Attach a policy to the user
attachPolicy(iamClient, userName);
// Close the IamClient
iamClient.close();
}
// Create an IAM user
Public static void createUser(IamClient iamClient, String userName) {
Try {
CreateUserRequest request = CreateUserRequest.builder()
.userName(userName)
.build();
CreateUserResponse response = iamClient.createUser(request);
System.out.println(“Successfully created user: “ + response.user().userName());
} catch (IamException e)
System.err.println(e.awsErrorDetails().errorMessage())
System.exit(1);L
}
}
// Attach a policy to the user
Public static void attachPolicy(IamClient iamClient, String userName) {
Try {
AttachUserPolicyRequest request = AttachUserPolicyRequest.builder() .userName(userName)
.policyArn(“arn:aws:iam::aws:policy/AmazonS3FullAccess”)
.build();
iamClient.attachUserPolicy(request);
System.out.println(“Successfully attached policy to user: “ + userName);
} catch (IamException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}