# IAM

IAM is the one service of AWS that manage the users. It is a global service (cross available zone \~ **AZ**). The first time that we have created the account on AWS it will create root account for you as default , should not be used or shared this account. we should generate new users from this root account instead.\
\
**Users Group**

It is the feature of IAM that you can create the group and assign user to thr group (user does not mandate to have a group)[ ](https://github.com/brightkut).  In the group we can create the **policies** and add to each group separately to grant permission of the users in group.<br>

<img src="https://2166680554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FP9VzT74ziIucCaJgfreE%2Fuploads%2Fj6Oa9ABwAv4vC1iCbrl5%2Ffile.excalidraw.svg?alt=media&#x26;token=6c4f2f81-36a2-4ceb-837c-4c63e04809f0" alt="" class="gitbook-drawing">

user can have zero or multiple group. when user have multiple group so he will also have permission from multiple policies. In AWS you apply the **least privilege principle**; don't give more permissions than a user needs.

**IAM Policies structure**

Consist of

* Version (optional)
* Statement (required) (array object)

Statements consist of

* SID: Id for the statement (optional)
* Effect: allow or deny access (Allow, Deny)
* Principle: apply to user/account/role
* Action: action of this policy\
  "s3:GetObject"&#x20;
* Resource: list of resources\
  "mybucket/\*"

**Security**

In AWS we have Password policy to apply for IAM to require user to create the password with our pattern. example

1. minimum length
2. uppercase
3. expiration password (change every 1 month)
4. prevent reuse

Moreover you can set MFA to make it  is more secure.

**IAM Roles for services**

Some AWS service will need to perform actions so we will assign permissions to AWS services with IAM roles.

Example: we want our **EC2** can access other service on our AWS

<img src="https://2166680554-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FP9VzT74ziIucCaJgfreE%2Fuploads%2FikHJKvnH4FHhzcjrhUA4%2Ffile.excalidraw.svg?alt=media&#x26;token=d02431d7-b50e-43f9-86df-35e215d3a1c7" alt="" class="gitbook-drawing">

**IAM Security Tools**

* Credentials Report (Account-level) list all of youe account's user, status of credentials
* Access Advisor (User-level) show service permission grant to a user and when thos service were last accessed


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dev7days.gitbook.io/dev7days/aws/iam.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.