General
- It is a global service
- Has the following entities:
- Identities:
- User
- Group
- Role
- Policies
- Identities:
- Answers the question “Who (user, group, role) can access (policies) what (AWS resources)?”
- The Root account will not be part of any of the above identities.
- Can define password policy for IAM Users (e.g. password length, required password characters, password expiration)
- Can enable the use of MFA for Root and IAM Users.
- Can provide certificates (configured through CLI, not console)
IAM User
- Represents a person or a service.
- Can assign to an IAM Group
- Can attach an IAM Policy
- Can define Inline policy
- Can delegate an IAM Role. The user can switch roles either:
- by using AWS STS Assume Role
- through the console.
- Can have programmatic (via AWS Keys and Secret) or console access (username and password).
- Can set Permission Boundary.
- Can be tagged.
IAM Group
- A collection of IAM Users.
- Cannot contain another IAM Group.
- Can attach IAM Policy.
- No Inline policy.
- Cannot be tagged.
- No Permission Boundary.
IAM Role
- Determines what the identity can and cannot do in AWS.
- Can attach IAM Policy (similar to IAM User).
- Unlike IAM User, has no username and password.
- Intended to be assumed by the following identities:
- an AWS service
- another AWS account. Which can then delegate to its own IAM User.
- a Web Identity
- a SAML2.0 Federation
IAM Policies
- Defines the permission of identity or resource.
- Policy Types:
- Identity-based (assigned to a user, group or role)
- Managed (AWS or Customer Defined)
- Inline
- Resource-based
- Acts as an inline policy to resources e.g. S3 Bucket Policy
- Permission boundaries
- Defines the maximum permission for a given set of policies.
- Applicable only to Identity-based policies.
- Does not grant permission
- Organization SCP
- Defines the maximum permissions for account members of an organization or organizational unit (OU)
- Does not grant permission
- Access Control List (ACL)
- Controls which principals in other accounts can access the resource to which the ACL is attached
- It’s a cross-account permissions policy that grants permissions to the specified principal.
- Cannot grant permissions to entities within the same account.
- It does not use JSON format.
- Session Policies
- Used with AWS CLI or API.
- Limits permission in a session.
- Does not grant permission
- Identity-based (assigned to a user, group or role)
- Policy Structure:
- Consists of:
- Version – always 2012-10-17
- Id – an identifier. Usually a descriptive text. Optional
- Statement – Mandatory
- Statement Structure:
- Sid
- an identifier.
- usually a descriptive text.
- optional.
- Effect
- defines whether to allow or deny the Actions
- value is either Allow or Deny
- mandatory
- Action
- list of AWS API names.
- can use wild cards allowed i.e. either * or APIName*
- mandatory
- Resources
- list of AWS resources that the action is applied to
- in ARN format
- can be a wildcard (*)
- mandatory
- Principal
- an account, user or role
- in ARN format
- optional
- Condition
- Added condition when the policy would be in effect
- optional
- Sid
- Consists of:
IAM Reporting Tools
- Credentials Report
- Account-level reporting
- Lists all users in your account and the status of their various credentials.
- For auditing and compliance
- Access Advisor
- User-level reporting
- Show service last accessed information
AWS STS
- Grant limited access to AWS resources through the use of tokens
- Tokens are valid for up to 1 hour.
- Created through API and CLI
- APIs to obtain tokens:
- AssumeRole
- allowing existing IAM users to access AWS resources that they don’t already have access to (including cross-account access)
- AssumeRoleWithWebIdentity
- for federated users who are authenticated through a public identity provider.
- AssumeRoleWithSAML
- for federated users who are authenticated by your organization’s existing identity system
- GetFederationToken
- for federated users.
- GetSessionToken
- credentials to an existing IAM user
- providing enhanced security, such as allowing AWS requests only when MFA is enabled for the IAM user
- AssumeRole