AWS IAM - Jules' Digital Garden

up:: [[AWS MOC]] tags:: #on/computing/cloud/aws # AWS Identity and Access Management (IAM) Identity and Access Management (IAM) is a service used to manage users within an AWS account. ## Basics IAM is a global service, so it is not scoped by region. A *user* is a person within your organization. Users can be collected into *groups*. Note that groups cannot contain other groups. ## Permissions Users and groups can be assigned JSON documents called *policies*. These policies define the permissions granted to users. ### Policies Policies are usually assigned to groups. An *inline policy* is a policy that is assigned to a user directly. Users inherit the policies assigned to the groups they belong to. Policies are composed of a version, ID (optional), and a number of statements. The statements are made of the following parts: | Part | Description | | ---------- | ---------------------------------------------------- | | SID | Identifier for the statement (optional) | | Effect | Whether to allow or deny the permission | | Principal | The account/user/role the policy applies to | | Action | List of actions the policy allows or denies | | Resource | List of resources to which the actions apply to | | Conditions | Conditions under which the policy applies (optional) | ## IAM Roles *IAM Roles* are used to assign permissions to AWS services. This allows the services to act on a user's behalf. For example, allowing EC2 to create/delete VMs automatically. ## Best Practices - Use password policies - Can set a required length or character types - Can choose whether IAM users are able to change their own passwords - Can enable password expiration - Can prevent password re-use - **Do not use the root account that is created by default**; instead, create an IAM user with the necessary permissions - Every IAM user should belong to a group - Use the principle of least privilege when assigning permissions to users - Assign policies to groups instead of to users directly - Create and use Roles when giving permissions to AWS services - Use access keys for programmatic access (CLI/SDK) - Audit permissions using IAM Credentials Report and IAM Access Advisor - Credentials Report lists an AWS account's users and the status of their various credentials - Access Advisor shows the service permissions granted to a user and when those services were last accessed - Encourage or require users to use MFA ## Misc. Information - The sign-in URL for IAM users can be customized by creating an alias for the root user. --- > [!createdat] Created at: [[2025-01-09]]