AWS IAM ni nini?

Question

AWS IAM ni nini?

Accepted Answer

**IAM** (Identity and Access Management) hudhibiti **nani anaweza kufanya nini** katika AWS — kusimamia users, groups, roles, na ruhusa. Ni jambo la msingi kwa usalama wa AWS: kila kitendo huidhinishwa kupitia IAM, kwa hivyo kuelewa ni muhimu.

## Kile IAM inasimamia

```text
IAM controls AUTHENTICATION (who you are) and AUTHORIZATION (what you can do):
  USERS    → individual identities (people or applications) with credentials
  GROUPS   → collections of users (assign permissions to a group → all its users get them)
  ROLES    → identities ASSUMED temporarily (by users, services, or AWS resources)
             — no permanent credentials; key for services/cross-account access
  POLICIES → JSON documents defining PERMISSIONS (what actions on what resources)
```

## Policies — kufafanua ruhusa

```json
{
  "Effect": "Allow",
  "Action": ["s3:GetObject", "s3:PutObject"],
  "Resource": "arn:aws:s3:::my-bucket/*"
}
// → allows getting/putting objects in my-bucket (and nothing else)
```

Policies (JSON) hubainisha **vitendo gani** vinavyoruhusiwa/kukataliwa kwa **rasilimali zipi** — zikiambatishwa kwa users, groups, au roles ili kutoa ruhusa.

## Roles — credentials za muda (muhimu sana)

```text
ROLES grant temporary permissions without long-lived credentials:
  → an EC2 instance assumes a role → its app accesses S3 (no embedded keys!)
  → a Lambda function assumes a role for its permissions
  → cross-account access; federated/SSO access
→ Roles avoid hardcoding credentials — a security best practice.
```

## Mbinu bora

```text
✓ LEAST PRIVILEGE — grant only the permissions actually needed (not broad/admin)
✓ Use ROLES for applications/services (not embedded access keys)
✓ Enable MFA; protect the root account (don't use it for daily work)
✓ Use groups for permission management; rotate credentials; audit access
```

## Kwa nini ni muhimu

Kuelewa IAM ni muhimu kwa sababu ni msingi wa usalama wa AWS — kila kitendo katika AWS huidhinishwa kupitia IAM, kwa hivyo ni maarifa ya msingi ya lazima kujua kwa kufanya kazi na AWS kwa usalama.

IAM hudhibiti **nani anaweza kufanya nini** kupitia vipengele vyake vya msingi: **users** (vitambulisho vyenye credentials), **groups** (kwa kusimamia ruhusa kwa pamoja), **roles** (vitambulisho vinavyochukuliwa kwa muda), na **policies** (hati za JSON zinazofafanua ruhusa).

Kuelewa **policies** (kubainisha vitendo gani vinavyoruhusiwa kwa rasilimali zipi) ni muhimu ili kutoa na kuelewa ruhusa kwa usahihi.

Kuelewa **roles** ni muhimu hasa: hutoa **credentials za muda bila funguo za kudumu**, kuwezesha EC2 instances, Lambda functions, na huduma nyingine kufikia rasilimali za AWS kwa usalama **bila kuingiza access keys** — mbinu bora muhimu ya usalama inayoepuka hatari kubwa ya credentials zilizowekwa moja kwa moja.

Kuelewa **mbinu bora** — hasa **least privilege** (kutoa ruhusa zinazohitajika tu, si ufikiaji mpana wa admin, kupunguza eneo la athari la uvunjaji wowote), kutumia roles kwa programu, kuwezesha MFA, na kulinda root account — ni muhimu kwa usalama wa AWS, kwani usanidi mbaya wa IAM (ruhusa pana mno, credentials zilizovuja) ni chanzo cha kawaida cha matukio ya usalama.

Kwa kuwa IAM ni mlinzi wa ufikiaji wote wa AWS na kuipata sawa ni jambo la msingi kwa usalama (huku kuikosea husababisha uvunjaji mkubwa), na kwa kuwa kuelewa users, roles, policies, na mbinu bora kama least privilege ni muhimu kufanya kazi na AWS kwa usalama, kuelewa IAM ni maarifa muhimu ya msingi ya AWS — mada muhimu ya usalama ambayo kila mtumiaji wa AWS lazima aelewe, kitovu cha kutumia AWS kwa usalama na kuepuka makosa ya udhibiti wa ufikiaji yanayopelekea matukio halisi ya usalama.