2022-01-17 Chapter 4 - Identity & Access Management
January 18, 2022•429 words
service-iam-1; Identity and Access Management (IAM); AWS service for controlling access to other AWS resources.
service-iam-2; Root Account; This corresponds to the email address you use to sign up for AWS. It has full administrative access to AWS, so it's important to secure it using MFA. You shouldn't use it for day-to-day work.
service-iam-3; Principle of Least Privilege; You should only assign a user the minimum amount of access to AWS that they need to do their job.
service-iam-4; In IAM AWS customers can create {{c1::users}}, {{c1::groups}} and {{c1::roles}}.
service-iam-5; Rather than assigning permissions directly to users, it's better practice to add users to {{c1::groups}} and assign permissions to {{c1::groups}}.
service-iam-6; In addition to using MFA, customers can secure the AWS root account by {{c1::creating individual user accounts for other administrators and adding them to an admin group}}.
service-iam-7; Identity and Access Management (IAM) is {{c1::global}} rather than region-specific.
service-iam-8; When first created, new IAM users have {{c1::no permissions}}.
service-iam-9; AWS customers assign permissions in IAM using {{c1::policy documents}}, which are made up of {{c1::JSON}}.
service-iam-10; AWS provides a variety of template IAM policy documents which correspond to relate to specific {{c1::services}} or {{c1::job functions}}.
service-iam-11; IAM allows you to enforce password policies for users such as {{c1::mandatory rotation}}.
service-iam-12; IAM allows you to integrate with an {{c1::identity provider}}. This could allow you to combine an existing {{c1::user account}} with AWS e.g. use a {{c1::SAML 2.0}} compatible {{c1::identity provider}} like {{c1::Microsoft Active Directory Federation Services}}.
service-iam-13; {{c1::Usernames and passwords}} are used for AWS console access.
service-iam-14; {{c1::Access key ID and secret access keys}} are used for programmatic access to AWS.
service-iam-15; You get to view credentials {{c1::only once, upon creation}}.
service-iam-16; {{c1::Security Token Service (STS)}} is an AWS service that allows users to assume an IAM role.
service-iam-17; An AWS IAM role is similar to an IAM user in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one {{c1::person}}, a role is intended to be assumable {{c1::temporarily}} by any {{c1::person}} or {{c1::system}} who needs it.
service-iam-18; IAM roles can allow {{c1::cross}}-account access.
service-iam-19; IAM roles can be attached to {{c1::EC2 instances}} in order that the {{c1::instance}} can interact with {{c1::other AWS services}} on your behalf. Roles can be attached to {{c1::instances}} without {{c1::terminating}} the {{c1::instance}}.
service-iam-20; IAM roles are the preferred option from a security perspective as they allow you to avoid {{c1::hard-coding your access key ids and secret access keys}}.
service-iam-21; IAM role permissions are set in {{c1::policy documents}}.