Identity and Access Management (IAM)
Last updated
Last updated
Stands for Identity and Access Management.
Its a global service.
People/Application that uses the AWS resources.
They can be grouped (Group).
A collection of user makes up Group.
Groups can only contain users and cannot contain Group.
A User can belong to multiple Groups.
Policy is a JSON Document which describes the permission required by a user/group to access them.
Sample Policy Document
In AWS (or in any CPS), always apply Least Privilege Principle when giving access to resource.
Policy structure:
Policy Version
Policy Id
Statement
Statement Id (optional)
Effect (Allow Or Deny) (Mandatory)
Principal, basically account to which this policy is applied.
Action, List of action/s which can be done using this policy. (Mandatory)
Resource, List of AWS resource to which the action/s can be applied. (Mandatory)
Condition, Conditions when this policy is applicable. (optional)
Policy Inheritance is a concept where a user can inherit policies from multiple groups, if user belongs to multiple groups.
Inline Policy, are policies that are directly applied to a user.
When AWS service/s need to perform action/s on behalf of user, IAM Roles enables us to achieve that.
Roles are assigned permissions policies.
Taking on a role allows users/AWS services to perform a task on behalf of the user whose role is being assumed.
In IAM Policy, following can be the principal.
Account
Root User
IAM Roles
IAM Role Sessions
IAM User
Federated User
AWS Service
All Principals
