AWS IAM - Jules' Digital Garden

up:: [[AWS MOC]] tags:: #on/computing/cloud/aws # AWS Identity and Access Management Identity and Access Management (IAM) is a service used to manage users within an AWS account. ## Basics IAM is a global service, so it is not scoped by region. A *user* is a person within your organization. Users can be collected into *groups*. Note that groups cannot contain other groups. ## Permissions Users and groups can be assigned JSON documents called *policies*. These policies define the permissions granted to users. ### Policies Policies are usually assigned to groups. An *inline policy* is a policy that is assigned to a user directly. Policies are composed of a version, ID (optional), and a number of statements. The statements are made of the following parts: | Part | Description | | ---------- | ---------------------------------------------------- | | SID | Identifier for the statement (optional) | | Effect | Whether to allow or deny the permission | | Principal | The account/user/role the policy applies to | | Action | List of actions the policy allows or denies | | Resource | List of resources to which the actions apply to | | Conditions | Conditions under which the policy applies (optional) | ## Account Security - Use password policies - Can set a required length or character types - Can choose whether IAM users can change their own passwords - Can enable password expiration - Can prevent password re-use - Use MFA ## IAM Roles *IAM Roles* are used to assign permissions to AWS services. This allows the services to act on a user's behalf. ## Best Practices - Do not use the root account that is created by default; instead, create an IAM user with the necessary permissions - Every IAM user should belong to a group - Use the principle of least privilege when assigning permissions to users - Assign policies to groups instead of to users directly - Create and use Roles when giving permissions to AWS services - Use access keys for programmatic access (CLI/SDK) - Audit permissions using IAM Credentials Report and IAM Access Advisor --- > [!createdat] Created at: [[2025-01-09]]