This is some rough notes on IAM in AWS, covering IAM Roles, IAM Users and IAM Policies. The notes are aims at studying for the AWS Solutions Architect Certification and should cover the main points required for that exam.
AWS IAM can be summed up by saying that it authenticates and authorities you to and in AWS.
Root user is first user and has all permissions to everything on the account. It can’t be removed.
It it this root user that is responsible for the initial IAM set up.
It is possible to customize the IAM login URL
ARN – Amazon Resource Name – Is globally unique
Roles – described by a JSON doc describing when and what permissions are granted to the role and under what specific circumstances.
IAM Credentials
Username/password
Access keys – normally used through an API or the CLI
Short term credentials
By default an IAM identity has no permissions at all. This is called an Implicit Deny.
You must explicitly grant the permissions that you want.
IAM Policies
Can be resource or identity policies
They are set out in a JSON Doc.
The doc consists of an combination of action and resource
Actions can be specific or can include wild cards
Actions can Allow or Deny
There are AWS managed policies and customer managed policies
An explicit Deny overrides everything else
Policies can apply to Users, groups and roles.
IAM Users
Users generally have a 1:1 mapping to a real person or an app
Only users can login.
Principal -> Authentication -> Authenticated IAM User
Max 5000 users per account
10 group memberships per user
Default max of 10 managed policies per user.
2048 character limit for the total characters across all inline policies associated with that IM user.
2 access keys per user
1 MFA per user
IAM Groups
IAM Groups allow you to group IAM users together.
There is a many to many relationship between IAM Users and IAM Groups.
Policies can be attached to a group and those flow down to the users.
Groups are not real identities and as such they cannot be referenced from resource policies.
Groups have no credentials and cannot login.
Groups don’t really get policies. They flow down and are attached to the users.
IAM Access Keys
Access Key ID – Like Username
Secret Access Key – Like password – only available once and not stored by AWS.
Maximum of 2 access keys at one time regardless of their status.
You can make them inactive
Can also delete them
They do not expire.