IAM

• Users : long term credentials
• Groups
• Roles
  • Short-term credentials, uses STS
  • EC2 instance Roles : uses the EC2 metadata service. One role at a time per instance
  • Service Roles : API Gateway, CodeDelploy …
  • Cross Account roles
• Policies
  • AWS Managed
  • Customer(by me) managed
  • Inline polices (one specific role, user …)
• Resource Based Policies (S3 Bucket, SQS queue, etc …)

IAM Policies

• JSON doc
• version, statment, effect, action, resource, condition,policy variables
• DENY > ALLOW
• Best practice : use least privilege or maximum security
  • access advisor : see permissions granted and when last accessed
  • access analyzer : analyze resources that are shared with external entity
• conditions
  • “Conditions” : { “Bool / string / Numberic / Date / ipaddress / arnequals, arnlike / null “ : { “condition-key” : “condition value } }
• varialbes : ${aws:username}
• tag based : iam:resourceTag/key-name …

IAM Roles vs Resource Based Polices

• role : give up original permissions
• resource-based policy : the principal doesn’t have to give up any permissions

IAM Permission Boundaries

• supported for users and roles
• to set the maximum permissions