IAM Flashcards
Full Form Of IAM
Identity & Access Management
Is IAM a Regional or Global service
Global service
What do IAM groups consist of?
only users, they don’t contain other groups.
* Groups can’t contain other groups
In AWS, groups are collections of IAM users. They help organize users, making it easier to manage permissions by assigning policies to a group rather than individual users. This simplifies access management across multiple users with similar roles or permissions.
- IAM groups are containers for Users, they can’t be logged-in to like Users.
- Used for making management of USERS easier.
- Groups help in administrative style management of users which facilitates attaching policies to groups making it more convienient to manage permissions both at group level and user level.
- Limit of 300 groups per account.
Is it necessary for users to belong to a group?
No, it’s not necessary for users to belong to a group in AWS. Users can have permissions assigned individually without being part of a group. Groups are just a helpful way to manage permissions more efficiently, especially when multiple users need the same access rights.
- Used for making management of USERS easier.
- Groups help in administrative style management of users which facilitates attaching policies to groups making it more convienient to manage permissions both at group level and user level.
- AWS doesn’t allow groups in groups. Overlapping of users in multiple groups is allowed.
Can a user belong to multiple groups ?
Yes
- There doesn’t exist a default all users’ group
- AWS doesn’t allow groups in groups. Overlapping of users in multiple groups is allowed.
- Limit of 300 groups per account
Why do we create users and groups ?
Because we want them to use AWS services with limited permissions
What are IAM: Permissions ?
They JSON documents containing policies.
Assigning capabilities to use specific services.
What is the principle to apply best practice for giving permission to users?
Least privilege principle; Don’t give more permission than a user needs.
True/False
Only root user can create groups and draft policies ?
Best Practice
False.
Admin user should be created as the first user by the root user.
As best practices root user shouldn’t be used more than generating admin user and assigning permissions to admin users.
IAM Policies inheritance: Group level permissions
A user can be in multiple groups
A group can have multiple users and multiple sub groups
A user can not be in any group.
Important IAM policy structure
Effect
The structure of an IAM policy is shown below:
Version
# ID
# Statement/s
## SId
## Effect
## Principal
## Action
## Resource
Facts
IAM
- 5,000 IAM Users per account not per region, and IAM is a global service.
- IAM User can be a member of 10 groups (maximum)
- Internet-scale applicaitions
- Large orgs & org merges (Limits to keep in mind when merging orgs)
Resource policy
Mark the difference between Resource policy and IAM policy
AM Policies:
- Definition: IAM policies manage permissions for IAM identities (users, groups, roles) within an AWS account.
- Format: Written in JSON (JavaScript Object Notation).
- Scope: Applied to IAM users, groups, or roles.
- Purpose: Dictate what actions IAM identities can perform on AWS resources.
Resource Policies:
- Definition: Resource policies control access to specific AWS resources (e.g., S3 buckets, SQS queues) directly.
- Format: Also written in JSON format.
- Scope: Applied directly to AWS resources.
- Purpose: Specify who has access to the resource and what actions they can perform, including granting access across AWS accounts.
Key Difference:
IAM Policies: Control access at the identity level within the AWS account.
Resource Policies: Control access at the resource level, allowing cross-account access and defining permissions directly on the resource.
- Groups are not a true identity. They can’t be referenced as a principal in a policy.
- A resource policy can’t grant access to an IAM group, expecting all the user of a group gets access to the group.
