Skip to content

IAM

  • IAM authorization flow
    • Principal: Person or application that is authenticated using Account root user or IAM Entity (IAM user, federated users or assumed roles)
    • issues a Request: operation to be performed against resources by principals
    • which needs Authorization: using resource or user policy
    • allows Action (console) or Operations (API/CLI): eg CreateBucket, StopInstance etc
    • against Resources: such as S3 service, EC2 service etc
  • Authentication: Password, Access key, Role/Temp Security Token
  • Roles are global (not region specific)
  • Policy, a JSON document, is a collection of permissions
  • Permission consists of:
    • Effect: Allow or Deny
    • Action (Read* etc)
    • Resource: S3 etc
  • Policies are JSON documents consisting of “Statement” array
    • Service: IAM, S3 etc
    • Condition: source IP, specific time etc
  • User policies are used to grant access to users within their own account, whereas Resource policies are used for granting cross-account access
  • A request is denied f any single policy evaluates to Deny, or none of the policy evaluates to Allow
  • BP Application identity:
    • application not running on AWS compute: create an IAM User, download keys and use them in application
    • application running on EC2: create instance profile that has an IAM Role
  • ARN Amazon Resource Name for IAM
    • arn:partition:service:region:account:resource
      • partition: aws for standard AWS regions, others are aws-cn
      • service: iam for IAM
      • region: is always blank for IAM
      • resource: is user, role, group etc