Section 4 iam

avatar
Created by
suriyanti

Cards (183)

  • IAM: Users & Groups
    • IAM = Identity and Access Management, Global service
    • Root account created by default, shouldn’t be used or shared
    • Users are people within your organization, and can be grouped
    • Groups only contain users, not other groups
    • Users don’t have to belong to a group, and user can belong to multiple groups
     
     
     
     
    IAM: Permissions
    • Users or Groups can be assigned JSON documents called policies
    • These policies define the permissions of the users
    • In AWS you apply the least privilege principle: don’t give more permissions than a user needs
     
     
     
     
     
     
  • Policy attached at group level
    Policy applied to every single member of the group
  • Inline policy
    A policy that is only attached to a user (fred)
  • IAM Policies Structure
    • Version: policy language version, always include "2012-10-17"
    • Id: an identifier for the policy (optional)
    • Statement: one or more individual statements (required)
  • Statement
    • Sid: an identifier for the statement (optional)
    • Effect: whether the statement allows or denies access (Allow, Deny)
    • Principal: account/user/role to which this policy applied to
    • Action: list of actions this policy allows or denies
    • Resource: list of resources to which the actions applied to
    • Condition: conditions for when this policy is in effect (optional)
  • IAM
    Identity and access management
  • IAM is a global service in AWS, not region-specific
  • Root user
    The main account holder with full administrative access
  • It is not best practice to use the root account, so we create IAM users instead
  • Creating an IAM user
    1. Provide username
    2. Choose to create IAM user (not identity center)
    3. Set password
    4. Add user to admin group
    5. Review and create user
  • IAM groups
    • Allows managing permissions for multiple users at once
    • Users inherit permissions from the groups they are added to
  • You can customize the AWS sign-in URL by creating an account alias
  • Using two browser windows (normal and private)

    Allows signing in to both the root account and an IAM user account at the same time
  • It is important not to lose the login credentials for the root account and the admin IAM user
  • The instructor recommends using an IAM user instead of the root account, but will specify when to use the root account
  • IAM policies
    Policies attached at the group level that get applied to every member of the group
  • Groups
    • Developers (Alice, Bob, Charles)
    • Operations (David, Edward)
    • Audit team (Charles, David)
  • Inline policy
    A policy that's only attached to a user, regardless of whether they belong to a group or not
  • Charles belongs to the developers group
    Charles inherits the policy from the developers group
  • Charles also belongs to the audit team

    Charles inherits the policy from the audit team as well
  • David belongs to the operations group

    David inherits the policy from the operations group
  • David also belongs to the audit team

    David inherits the policy from the audit team as well
  • IAM policy structure
    • Version number
    • ID (optional)
    • Statements (one or more)
    • Sid (statement ID, optional)
    • Effect (allow or deny)
    • Principal (accounts, users or roles)
    • Action (API calls)
    • Resource (what the actions apply to)
    • Condition (optional)
  • The policy language version is usually 2012-10-17
  • The effect of the policy determines whether the statement allows or denies access to certain APIs
  • The principal specifies which accounts, users or roles the policy will be applied to
  • The action is the list of API calls that will be allowed or denied based on the effect
  • The resource is the list of resources to which the actions will be applied
  • The condition determines when the statement should be applied or not, but this is optional
  • IAM policies
    Policies attached at the group level that get applied to every member of the group
  • Groups of users
    • Developers (Alice, Bob, Charles)
    • Operations (David, Edward)
    • Audit team (Charles, David)
  • Inline policy
    A policy that's only attached to a specific user, regardless of whether they belong to a group or not
  • Charles belongs to the developers group
    Charles inherits the policy attached to the developers group
  • Charles also belongs to the audit team

    Charles inherits the policy attached to the audit team as well
  • David belongs to the operations group
    David inherits the policy attached to the operations group
  • David also belongs to the audit team

    David inherits the policy attached to the audit team as well
  • IAM policy structure
    • Version number
    • ID (optional)
    • Statements (one or more)
    • Sid (statement ID, optional)
    • Effect (allow or deny)
    • Principal (accounts, users or roles)
    • Action (API calls)
    • Resource (e.g. bucket)
    • Condition (optional)
  • You need to understand the effect, principal, action and resource when working with IAM policies
  • IAM policies
    Policies attached at the group level that get applied to every member of the group
  • IAM policies
    Policies that define access permissions in AWS