IAM

PreviousDirectory Service NextOrganizations

Last updated 4 years ago

Was this helpful?

IAM

Introduction

Identity and Access Management (IAM) enableing control access to AWS services and resources
Can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources
A global (Not Regional) service

Feature

Providing
- Centralized control
- Shared access to AWS account
- Granular permissions
- Identity Federation (ex. to a SAML IdP)
  - Create a SAML provider in IAM and create IAM role that establishes a trust relationship between IAM and the IdP that identifies the IdP as a principal (trust entity) for purposes of federation.
- Multifactor Authorization (MFA)
- Providing temporary access for users, devices, services
- Can set up custom password policy (ex: password rotation)
- Support PCI DSS compliance
Composition
- Users
  - Simply people
  - Access type:
    Programmatically accessing AWS APIs and command line
    Access Key ID
    Secret Access Key (only visible when creating, can be downloaded in the crendential.csv)
    AWS console
    Password (only visible when creating, can be downloaded in the crendential.csv)
- Groups
  - A collection of people applying the same permissions
- Roles
  - Can create a role then attach it to AWS resources or users
  - If a user switches the role, original access to the user is canceled. He can only use the access of the role.
  - Service Role (ex. )
- Policies
  - A JSON document defining permissions
  - Scenarios
    (The best way is to use AWS Catalog)
    Can be defined either with IAM policies for a role, user or with AWS Organizations SCP for an OU / entire organization.
    "Condition": { "StringEquals": { "aws:RequestTag/key1": "value1", "aws:RequestTag/key2": "value2" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "key1", "key2" ] } }
- Trust Policy
  - A JSON document defining who can assume the role
- Authenticates the principal.
- Determines which policy to apply to the request.
- Evaluates the policy types and arranges an order of evaluation.
- Processes the policies against the request context to determine if it is allowed.

Related Service

Access Advisor - See permissions granted and last access time
Access Analyzer - Analyze resources that are shared with external entity

PreviousDirectory Service NextOrganizations

Last updated 4 years ago

Was this helpful?

Introduction

Identity and Access Management (IAM) enableing control access to AWS services and resources
Can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources
A global (Not Regional) service

Feature

Providing
- Centralized control
- Shared access to AWS account
- Granular permissions
- Identity Federation (ex. to a SAML IdP)
  - Create a SAML provider in IAM and create IAM role that establishes a trust relationship between IAM and the IdP that identifies the IdP as a principal (trust entity) for purposes of federation.
- Multifactor Authorization (MFA)
- Providing temporary access for users, devices, services
- Can set up custom password policy (ex: password rotation)
- Support PCI DSS compliance
Composition
- Users
  - Simply people
  - Access type:
    Programmatically accessing AWS APIs and command line
    Access Key ID
    Secret Access Key (only visible when creating, can be downloaded in the crendential.csv)
    AWS console
    Password (only visible when creating, can be downloaded in the crendential.csv)
- Groups
  - A collection of people applying the same permissions
- Roles
  - Can create a role then attach it to AWS resources or users
  - If a user switches the role, original access to the user is canceled. He can only use the access of the role.
  - Service Role (ex. )
- Policies
  - A JSON document defining permissions
  - Scenarios
    (The best way is to use AWS Catalog)
    Can be defined either with IAM policies for a role, user or with AWS Organizations SCP for an OU / entire organization.
    "Condition": { "StringEquals": { "aws:RequestTag/key1": "value1", "aws:RequestTag/key2": "value2" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "key1", "key2" ] } }
- Trust Policy
  - A JSON document defining who can assume the role
- Authenticates the principal.
- Determines which policy to apply to the request.
- Evaluates the policy types and arranges an order of evaluation.
- Processes the policies against the request context to determine if it is allowed.

Related Service

Access Advisor - See permissions granted and last access time
Access Analyzer - Analyze resources that are shared with external entity