Notes on IAM (AWS):
I have decided to summarize the essential points of what I have learned about IAM. This is a bullet point summary of the essential points.
- The account and the user inside the account are two different entities
- The user in the account is an IAM identity – also known as a PRINCIPAL
- Identities can be federated – users w/o AWS accounts can be given temporary permissions
- IAM is shorthand for Identity and Access Management
- A root user is automatically created along with the creation of the account; but the root user is an identity inside the AWS account, not the account itself
- After creation, the root user should be locked down using MFA
- An IAM user should be created and granted administrative privileges by attaching a policy to the user granting those policies
- There is a hard limit of 5,000 IAM users per account; each user can be a member of 10 groups
- Policies identify actions that relate to AWS resources and the effect permitted by those actions
- There is a pool of created policies available for use in AWS; alternately, policies can be created to suit custom needs
- Policies are created using either the Create policy page or using JSON
- Policies can be attached to either principals (aka ‘identity-based’ policies) or resources (aka ‘resource-based’ policies)
- An attempt to access AWS resources is a two-step process: first the user is AUTHENTICATED inside the account, and then access to resources in that account are AUTHORIZED
- All actions in AWS are implicitly denied; granting permissions requires that actions be allowed through the administering of policies
- There are two types of ‘deny’ – implicit and explicit; all actions are implicitly denied, and an explicit deny can be used to refine allows
- A single entity can have up to 10 managed policies attached (policies limited to 6,144 characters)
- Policy administration is divided into two types: inline (individually applied to each user) and through the use of groups
- Groups are containers for users; they cannot be logged into and have no credentials of their own, and they cannot be nested
- Groups allow for a set of policies to be applied to a whole class of users, which greatly simplifies management of those policies
- Roles are used to grant temporary permissions to users or services that exist outside a particular AWS account
- Access to programming/CLI-based resources requires the creation of access keys