πΈIAM
Describe about What is IAM?
IAM is the one service of AWS that manage the users. It is a global service (cross available zone ~ AZ). The first time that we have created the account on AWS it will create root account for you as default , should not be used or shared this account. we should generate new users from this root account instead. Users Group
It is the feature of IAM that you can create the group and assign user to thr group (user does not mandate to have a group) . In the group we can create the policies and add to each group separately to grant permission of the users in group.
user can have zero or multiple group. when user have multiple group so he will also have permission from multiple policies. In AWS you apply the least privilege principle; don't give more permissions than a user needs.
IAM Policies structure
Consist of
Version (optional)
Statement (required) (array object)
Statements consist of
SID: Id for the statement (optional)
Effect: allow or deny access (Allow, Deny)
Principle: apply to user/account/role
Action: action of this policy "s3:GetObject"
Resource: list of resources "mybucket/*"
Security
In AWS we have Password policy to apply for IAM to require user to create the password with our pattern. example
minimum length
uppercase
expiration password (change every 1 month)
prevent reuse
Moreover you can set MFA to make it is more secure.
IAM Roles for services
Some AWS service will need to perform actions so we will assign permissions to AWS services with IAM roles.
Example: we want our EC2 can access other service on our AWS
IAM Security Tools
Credentials Report (Account-level) list all of youe account's user, status of credentials
Access Advisor (User-level) show service permission grant to a user and when thos service were last accessed
Last updated
