IAM or identity and access management service has a crucial role of managing identities or authentication of various individuals interacting with your account.
IAM allows you three different ways to log in to your account or use the services associated with any AWS account.
Root access is when you use your email and password that you used to create your AWS account as credentials. This, however, is not considered a best practice and is discouraged by AWS.
Instead what you should do is make an AWS user and use that for admin purposes.
But why can’t we use our root credentials?
It’s because using root access provides you with unrestricted access and control. Although this may not seem as a problem, but it could lead to serious trouble if you delete, remove or modify something that you did not intend to.
Moreover, you should not share your root credentials with anyone.
IAM users are the users that are created using IAM. Now, these users do not use separate accounts, but rather are different users for the same account.
All of these users have a different and specific sign-in link, username and password, accompanied by their own access and secret access tokens.
The permissions assigned to these users could also be monitored and altered so as to maintain proper authorization.
The controlled permissions make sure that any unauthorized user does not perform any action that causes some serious trouble.
So IAM users are nothing but various different credentials for signing in to the same account but with different permissions
Federating existing users
You might have seen websites that use Google or Facebook logins to log you in. What these applications do is that they ask a third-party to validate your identity and then use the token generated by them to log you in.
This makes sure that you don’t have to go through the hassle of signing in again and again.
AWS uses a similar type of login too.
For example, you are logged in to your company’s network using you email id. Now you wish to sign in to the company’s AWS account.
If federation is allowed in the account, then using your company’s log in you can simply be validated and given access to log in to the AWS console.
So now you don’t have to keep your login credentials handy for your AWS account separately. You just need to be logged in to your company’s network.
This is how federation works.
So these were various ways of how AWS manages users and their access to the cloud and it’s infrastructure.