Identity and Access Management (IAM)
Stands for Identity and Access Management.
Its a global service.
Icon
Terminology
User
People/Application that uses the AWS resources.
They can be grouped (Group).
Group
A collection of user makes up Group.
Groups can only contain users and cannot contain Group.
A User can belong to multiple Groups.
Policy
Policy is a JSON Document which describes the permission required by a user/group to access them.
Sample Policy Document
In AWS (or in any CPS), always apply Least Privilege Principle when giving access to resource.
Policy structure:
Policy VersionPolicy IdStatementStatement Id(optional)Effect(Allow Or Deny) (Mandatory)Principal, basically account to which this policy is applied.Action, List of action/s which can be done using this policy. (Mandatory)Resource, List of AWS resource to which the action/s can be applied. (Mandatory)Condition, Conditions when this policy is applicable. (optional)
Policy Inheritance is a concept where a user can inherit policies from multiple groups, if user belongs to multiple groups.
Inline Policy, are policies that are directly applied to a user.
Principal
In IAM Policy, following can be the principal.
Account
Root User
IAM Roles
IAM Role Sessions
IAM User
Federated User
AWS Service
All Principals
Roles
When AWS service/s need to perform action/s on behalf of user, IAM Roles enables us to achieve that.
Roles are assigned permissions policies.
Taking on a role allows users/AWS services to perform a task on behalf of the user whose role is being assumed based on permission attached to a role.
There are 5 types of roles
AWS Service
AWS Account
SAML
Web Identity
Custom Trust Policy
References
Last updated