IAM Flashcards
What is IAM Users
Identities used for anything that requires long-term AWS access
Ex: humans, application or service accounts
IAM Users numbers limitation
5000 IAM Users per Account
1 IAM Users can belong to 10 Groups
IAM User is authenticated by what?
- Username & Password (+MFA)
- Access Key (CLI, SDK)
IAM User is authorized for access based on what?
IAM policy
Attached or embedded in IAM User
IAM User should not used for…
- Internet-scale app
- Large organizations
What is IAM Group?
Collection of related IAM User
When to use IAM Group?
- Used for organizing IAM User
- Cannot contain other Groups
IAM Group numbers limitation
- 300 IAM Groups per Account
- Can be increased
IAM Group isn’t a true identity, therefore…
… cannot be referenced by a Resource policy
When to use IAM Role?
- Uncertain number of principals
- Need access in a short period of time
IAM Role is a true identity, therefore…
… can be referenced by a Resource policy
What is Temporary Security Credentials?
- Generated by Secure Token Service
- Assigned to the principal who is assuming the Role
- Has expiration
- Affected by Permission policy
What is the effect of a Trust Policy
Controls which identities can assume the Role
What is the effect of a Permission Policy
Controls which resources the Role can access to, also called Identity Policy
Difference between Service-linked Role and IAM Role
Service-linked Role cannot be deleted manually during the service usage
