IAM
Introduction
Identity and Access Management (IAM) enableing control access to AWS services and resources
Can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources
A global (Not Regional) service
Feature
Providing
Centralized control
Shared access to AWS account
Granular permissions
Identity Federation (ex. to a SAML IdP)
Create a SAML provider in IAM and create IAM role that establishes a trust relationship between IAM and the IdP that identifies the IdP as a principal (trust entity) for purposes of federation.
Multifactor Authorization (MFA)
Providing temporary access for users, devices, services
Can set up custom password policy (ex: password rotation)
Support PCI DSS compliance
Composition
Users
Simply people
Access type:
Programmatically accessing AWS APIs and command line
Access Key ID
Secret Access Key (only visible when creating, can be downloaded in the crendential.csv)
AWS console
Password (only visible when creating, can be downloaded in the crendential.csv)
Groups
A collection of people applying the same permissions
Roles
Can create a role then attach it to AWS resources or users
If a user switches the role, original access to the user is canceled. He can only use the access of the role.
Service Role (ex. attaching the role (or service role) to EC2 within instance metadata)
Policies
A JSON document defining permissions
Scenarios
Force tagging to AWS resources (The best way is to use AWS Catalog)
Can be defined either with IAM policies for a role, user or with AWS Organizations SCP for an OU / entire organization.
Trust Policy
A JSON document defining who can assume the role
Authenticates the principal.
Determines which policy to apply to the request.
Evaluates the policy types and arranges an order of evaluation.
Processes the policies against the request context to determine if it is allowed.
Related Service
Access Advisor - See permissions granted and last access time
Access Analyzer - Analyze resources that are shared with external entity
Last updated