- Granular permission control
- GUI interface is easy enough to use, has room for improvement however
- CLI interface is easy to use
- API interface available to dynamically build roles
- Must have good IAM roles setup to manage application access, as it is the entry point into your cloud system
- GUI interface can be simpler. AWS tends to build minimum UI but the ability to CLI and use API interfaces makes IAM a winner still
- Automatic Threat Detection / Access is not built in to IAM. You need to setup your own monitoring using other AWS services to look for access anomalies. If this was built into the service, it would make it a very appealing full stack Identity service.
Set granular permission groups. From a security and access perspective, the more control you have over users/applications that have access to critical data, the less likelihood of a breach.
We have several web applications and infrastructure on AWS. We use IAM to control application access to our databases and other services. We also use IAM to manage individual user access to our systems. We use various role and groups to isolate permissions and practice the principle of least privileged access.