Identity and Access Management (IAM)
- Fine-Grained Permission
- MFA
- PCI Compliant
Principle of Least Privilege: Granting only the permissions required to perform the necessary operations.
- Reduces the impact of compromised credentials
Users
Users: An individual entity with a defined username. Note, entity does not necessarily mean a human. It could be a service or application.
Access Types:
- AWS Management Console Access
- Programmatic Access (Access Key and Secret Key)
Create an IAM user for yourself, give admin access, and use that account rather than the root account.
Groups
Groups: A collection of IAM users. Groups can have policies attached.
Roles
Roles: An IAM identity that has specific permissions associated with it. Roles can be assumed by other entities.
Policies
Policies: A set of permissions associated with an IAM identity. Policies can be attached to users, groups, and roles.
A set of permissions:
- Effect
- Action
- Resource
Managed vs. Inline Policies
Managed Policies
- Standalone
- Only assignable to identities, not resources
- Assignable to users, groups, roles
- Reusable across entities
Inline Policies
- Embedded in the target user/group/role
- Not resuable
Customer Managed vs. AWS Managed Policies
Customer Managed
- Created by you
AWS Managed
- Created and managed by Amazon, not editable
Policy Assignment
Identity-Based
- Assigned to users/groups/roles
- Specifies what X can do
Resource-Based
- Assigned to resources, e.g. S3 bucket
- Specifies who can access and what they can do
Default Policies
Everything in AWS is deny by default.
Best Practices
- Regularly review and update IAM policies
- Enable AWS CloudTrail for auditing and monitoring
- Use IAM roles for EC2 instances and AWS services
- Rotate access keys and other credentials regularly
- Use groups for easier management of IAM users
- Enable MFA
- Create strong password policies (you can create custom policies)
- Implement principle of least privilege