Identity and Access Management (IAM)
Stands for Identity and Access Management.
Its a global service.
Icon
Terminology
User
People/Application that uses the AWS resources.
They can be grouped (Group).
Group
A collection of user makes up Group.
Groups can only contain users and cannot contain Group.
A User can belong to multiple Groups.
Policy
Policy is a JSON Document which describes the permission required by a user/group to access them.
Sample Policy Document
{ "Version": "2012-10-17", //version "Id": "PolicyId", //Policy Id "Statement": [ { "Sid": "AllowOrgsReadOnlyAndIamGetReport", "Effect": "Allow", "Action": [ "iam:GetOrganizationsAccessReport", "organizations:Describe*", "organizations:List*" ], "Resource": "*" }, { "Sid": "AllowGenerateReportOnlyForThePolicy", "Effect": "Allow", "Action": "iam:GenerateOrganizationsAccessReport", "Resource": "*", "Condition": { "StringEquals": {"iam:OrganizationsPolicyId": "p-policy123"} } } ] }In AWS (or in any CPS), always apply Least Privilege Principle when giving access to resource.
Policy structure:
Policy VersionPolicy IdStatementStatement Id(optional)Effect(Allow Or Deny) (Mandatory)Principal, basically account to which this policy is applied.Action, List of action/s which can be done using this policy. (Mandatory)Resource, List of AWS resource to which the action/s can be applied. (Mandatory)Condition, Conditions when this policy is applicable. (optional)
Policy Inheritance is a concept where a user can inherit policies from multiple groups, if user belongs to multiple groups.
Inline Policy, are policies that are directly applied to a user.
Roles
When AWS service/s need to perform action/s on behalf of user, IAM Roles enables us to achieve that.
Roles are assigned permissions policies.
Taking on a role allows users/AWS services to perform a task on behalf of the user whose role is being assumed.
Principal
In IAM Policy, following can be the principal.
Account
Root User
IAM Roles
IAM Role Sessions
IAM User
Federated User
AWS Service
All Principals
References
Last updated