Scribd
Upload
58 views21 pages

Free No Charge For No of User/global Servcie /easy and Flexible

IAM allows users to access AWS resources without needing to share credentials. It provides single sign-on access, temporary security credentials, and fine-grained access control. Key aspects include: - Federated users can access AWS resources without needing IAM user accounts. - Policies are used to grant permissions to users and control what resources they can access. Sample policies show the principal, action, and resource specifications. - Customer managed policies can be created and attached to users or roles, while AWS managed policies are predefined and managed by AWS. - IAM users should be used instead of root account access for security. Least privilege and MFA are best practices.

Uploaded by

Sujata Kattimani
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
58 views21 pages

Free No Charge For No of User/global Servcie /easy and Flexible

IAM allows users to access AWS resources without needing to share credentials. It provides single sign-on access, temporary security credentials, and fine-grained access control. Key aspects include: - Federated users can access AWS resources without needing IAM user accounts. - Policies are used to grant permissions to users and control what resources they can access. Sample policies show the principal, action, and resource specifications. - Customer managed policies can be created and attached to users or roles, while AWS managed policies are predefined and managed by AWS. - IAM users should be used instead of root account access for security. Least privilege and MFA are best practices.

Uploaded by

Sujata Kattimani
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 21

IAM

Free No Charge for No of user/Global Servcie /Easy and Flexible


Who Can Access AWS resources

Federated
users
Users/Cross AC System/Service LDAP
AD
NOT FOR OS AND APP ACCESS
DENY/Everything
Effect=Allow/Deny

Principal=whom/user/ARN/*

Action=Add/delete/get/put

Resource=ARN of S3/EC2

Conditions=When/Where/date time/IP
Sample JSON Policy……..FIND Out What is Missing ??????
Created by user to be specifically
Create/managed/updated by AWS
Assigned to a user only cannot be
can be assigned to any resource
given to other user

Customer Managed Policy


GMAIL

Role=Use cases
No need to Provide username password
Access Key Secret Key safe and Temporary
IAM=Best Practice

1)Avoid…..Root Account Access


2)Use …..IAM user to Access AWS
3)Grant…..least permission…..only provide …..more permission when required
5)Create….Groups and Assign policy to Groups for easier management and Auditing
4)Use…..Roles where ever possible
5)Avoid …..Storing any username/password/access_key/secret_access_key
6)Use…..MFA…..adds additional layer of security
7)Use……Security adviser to know who accessed what and when in your account
Some AWS CLI commands for IAM user Management
1)aws iam list-users
2)aws iam list-groups
3)aws iam create-group --group-name Admins
4)aws iam create-user --user-name Bob
5)aws iam add-user-to-group --user-name Bob --group-name Admins
6)aws iam delete-group --group-name MyTestGroup
7)aws iam delete-user --user-name Bob

8)aws iam attach-user-policy --policy-arn


arn:aws:iam::aws:policy/AdministratorAccess --user-name Alice

9)aws iam enable-mfa-device --user-name Bob --serial-number


arn:aws:iam::210987654321:mfa/BobsMFADevice --authentication-code-1
123456 --authentication-code-2 789012

1) DONT TRY TO REMEMBER EVEN EINSTEINE CANNOT .....just try a couple of


them to get an idea

2) you can get any example for any command you want
.....online(internet)....very good AWS Docs

You might also like