Identity Access Management (IAM)
IAM is a service that lets you set user and group permissions on what they are allowed/denied to do.
It lets you set permissions for resources that belong to the following service categories:
These permissions are set specified against particular API-calls/CLI-options/web-gui-console
Here are some examples:
- give a user (or group) permission to create new EC2 instances
- deny user (or group) permssions to delete an particular EC2 instance
IAM is very granular and let's you set all kinds of permissions.
This is a service that logs all aws-console/cli/api activities and who performed them.
It is a logging solution to help identify any security issues.
This is a monitoring service that monitors various service and resources. It can collect and track metrics. It can collect logs for various resources, e.g. cpu utilisation on a given EC2 instance, network bandwith usage....etc.
Cloudwatch ties in with auto-scaling quite closely. E.g. you can instruct cloudwatch to scale-up if cpu usage exceeds 80% or if queue size exceeds 5000 jobs.
This service allows you to create and sync AWS users and groups based on local Microsoft Active-Directory Server. Alternatively you can create a new Microsoft Active Directory (AD) service inside AWS and sync it up with a local Microsoft AD server.
This makes single sign on possible.