Andrew's Digital Garden

IAM basics in AWS

IAM = Identity Access Management Allows you to manage users and their level of access to the AWS console. It is region-agnostic.

There are three types of identities:

Users - should represent 1 physical person
User groups - functions such as admin, developer, finance, etc.
Roles - allows one part of AWS to access another part of AWS [[20211206015943-aws-iam-roles]]

Best practice is for users to inherit permissions from user groups. Creating a user and not assigning it to any groups or tags will create a user without any permissions at all.

[[20211122013042-aws-explicit-deny]]

The [[root account]] is the email addressed that signed up for AWS. It has full admin access and needs to be secured.

[[Policy documents]] control IAM permissions, and are written in JSON.

Note that access key and secret access key != username/password, but are instead used for programatic access. The secret access key is only shown once, and either key shouldn't be shared.

It's best practice to set up a forced password rotation if using passwords.

[[aws]] [[security]]

Referred in

AWS Certified Solutions Architect - Associate (SAA-C02)

IAM basics in AWS