Skip to content

IAM

  • IAM authorization flow
  • Principal: Person or application that is authenticated using Account root user or IAM Entity (IAM user, federated users or assumed roles)
  • issues a Request: operation to be performed against resources by principals
  • which needs Authorization: using resource or user policy
  • allows Action (console) or Operations (API/CLI): eg CreateBucket, StopInstance etc
  • against Resources: such as S3 service, EC2 service etc
  • Authentication: Password, Access key, Role/Temp Security Token
  • Roles are global (not region specific)
  • Policy, a JSON document, is a collection of permissions
  • Permission consists of:
  • Effect: Allow or Deny
  • Action (Read* etc)
  • Resource: S3 etc
  • Policies are JSON documents consisting of “Statement” array
  • Service: IAM, S3 etc
  • Condition: source IP, specific time etc
  • User policies are used to grant access to users within their own account, whereas Resource policies are used for granting cross-account access
  • A request is denied f any single policy evaluates to Deny, or none of the policy evaluates to Allow
  • BP Application identity:
  • application not running on AWS compute: create an IAM User, download keys and use them in application
  • application running on EC2: create instance profile that has an IAM Role
  • ARN Amazon Resource Name for IAM
  • arn:partition:service:region:account:resource
    • partition: aws for standard AWS regions, others are aws-cn
    • service: iam for IAM
    • region: is always blank for IAM
    • resource: is user, role, group etc