Overview#
AWS IAM is the Identity and Access Management for Amazon Web ServicesAWS IAM has the following Entities:
- User in AWS user is a End-User which uses the AWS Management Console or an AWS API and consists of a NAME and Credential
- AWS Security Group in AWS is a collection (Group) of AWS Users.
- AWS Role in AWS is used to define Permissions to AWS Resources Authentication Methods and an Operator that is temporary. (Think OAuth Grant)
- Can not be assigned to AWS Users
- Can not be assigned to AWS Security Group
Policy in AWS is a document that defines one or more Permissions that is associated to a AWS user or Role.
- JSON can be attached to any of the above.
- Lists the specific APIs that is permitted for members of the Role (Think Scopes) (Permissions)
- May have dynamic components such as are they on a VPN or time of day or network, or location.
- May have a Implicit Deny which overrides any Allow permission.
AWS IAM Details#
- AWS IAM is Global and not Cloud Region or Cloud Zone specific.
- Root account is simply the account (EmailAddress) created when first setup.
- New AWS users have no permissions when created.
- New AWS users are assigned an Access Key ID and Secret Access Key.
- Access Key ID and Secret Access Key are used for the AWS API and AWS CLI from your local desktop
- Secret Access Key can only be viewed when created. Otherwise you must regenerate the Secret Access Key
- Password Policy is managed within AWS Management Console
- Supports PCI DSS Compliance