Identity and Access Management (IAM)

  • Stands for Identity and Access Management.

  • Its a global service.

Icon

IAM Icon

Terminology

User

  • People/Application that uses the AWS resources.

  • They can be grouped (Group).

Group

  • A collection of user makes up Group.

  • Groups can only contain users and cannot contain Group.

  • A User can belong to multiple Groups.

Policy

  • Policy is a JSON Document which describes the permission required by a user/group to access them.

  • Sample Policy Document

        {
            "Version": "2012-10-17", //version
            "Id": "PolicyId", //Policy Id
            "Statement": [
            {
                "Sid": "AllowOrgsReadOnlyAndIamGetReport",
                "Effect": "Allow",
                "Action": [
                    "iam:GetOrganizationsAccessReport",
                    "organizations:Describe*",
                    "organizations:List*"
                ],
                "Resource": "*"
            },
            {
                "Sid": "AllowGenerateReportOnlyForThePolicy",
                "Effect": "Allow",
                "Action": "iam:GenerateOrganizationsAccessReport",
                "Resource": "*",
                "Condition": {
                    "StringEquals": {"iam:OrganizationsPolicyId": "p-policy123"}
                }
            }
        ]
        }
  • In AWS (or in any CPS), always apply Least Privilege Principle when giving access to resource.

  • Policy structure:

    • Policy Version

    • Policy Id

    • Statement

      • Statement Id (optional)

      • Effect (Allow Or Deny) (Mandatory)

      • Principal, basically account to which this policy is applied.

      • Action, List of action/s which can be done using this policy. (Mandatory)

      • Resource, List of AWS resource to which the action/s can be applied. (Mandatory)

      • Condition, Conditions when this policy is applicable. (optional)

  • Policy Inheritance is a concept where a user can inherit policies from multiple groups, if user belongs to multiple groups.

  • Inline Policy, are policies that are directly applied to a user.

Roles

  • When AWS service/s need to perform action/s on behalf of user, IAM Roles enables us to achieve that.

  • Roles are assigned permissions policies.

  • Taking on a role allows users/AWS services to perform a task on behalf of the user whose role is being assumed.

Principal

  • In IAM Policy, following can be the principal.

    • Account

    • Root User

    • IAM Roles

    • IAM Role Sessions

    • IAM User

    • Federated User

    • AWS Service

    • All Principals

References

Last updated