Skip to content

IAM

Jump to bottom
abk edited this page Nov 13, 2019 · 1 revision

IAM - No REGION is associated is connected with the users, roles, permissions etc. - They are not region specific. - Conditions can use group of users to restrict the permission policy.

- Best practices
	- Activate MFA
	- DOn’t use root account
	- Create IAM user for yourself and assign permission policy with lot of privileges.
	- No cost associated with number of IAM roles, users created.
	- IAM groups are convenient.
	- Principle of least privilege. 
	- By default there is no strong password policy for IAM users.

What is ARN format and how is it encoded? Arn:partition:service:region:account-id resource resourcetype/resource
 resourcetype/resource/qulifier resource type/resource:qualifier resrourcetype:resource resourcetype:resource:qualifier

IAM users

  • Users
  • Any service account.
  • Single human or group of humans or service accounts or one or more applications

IAM group

  • Group of users form an IAM group
  • They don’t have authentication information on own
  • Can be assigned an IAM policy

IAM Role

  • Temporary hat that user assumes.
  • Can be used by humans
  • Can be used by applications
 IAM Permission Policies
  • Policy is a document that formally states one or more permissions
  • By default all permissions are implicitly denied
  • Explicit deny ALWAYS overrides explicit ALLOW.
  • Implicit Deny (is by default).
  • Can be attached to identity (identity policy) or resource (resource policy)


  1. Principal : A person or application that can make an authenticated or anonymous request 
to perform an action on a system.
  2. Authentication: A process of authentication a principal against an identity. This could be via 
username/password or API keys.
  3. Identity: Objects that require authentication and are authorized to access resources.
  4. Authorization: The process of checking and allowing or denying access to resource
for an identity. It takes an authenticated identity.

Shared Responsibility Model

  • Security IN the cloud is customer job
    • Customer data
    • Platform, application, identity and Access Management
    • OS, Network, Firewall configuration
    • Encryption at rest, transit
    • Network protection
  • Security OF the cloud is AWS job.
    • Software
    • Compute,Storage, DB, Network
    • Hardware / AWS global infra
    • Regions, AZs, Edge locations

Sevice Models

  1. IaaS 
EC2, networking, VPC etc

  2. PaaS
Lambda is a PaaS service (that AWS provides). 

  3. SaaS
What you pay for is service. Netflix, HBO , etc.
Clone this wiki locally