IAM - Identity Access Management
IAM is where you manage your AWS users, groups, roles and
their access to AWS accounts and services.
You can use AWS IAM to securely control individual and group
access to your AWS resources. You can create and manage user identities
("IAM users") and grant permissions for those IAM users to
access your resources. You can also grant permissions for users outside of AWS
( federated
users).
Common use of IAM is to manage :
- Users
- Groups
- Roles
- IAM
Access policies
- Api
keys
- Specify
a password policy as well as manage MFA requirements on a per user basis
NOTE : By default no new user you create in an AWS accounts has
any access to any AWS Service. There is a implicit deny rule set on all new IAM
users.
For all users except root user, permissions must be given
that grant access to AWS services by IAM policies.
Best Practices For IAM :
- Delete
your root access keys
- Activate
MFA on your Root Account
- Create
and use an IAM with Admin Privileges instead of the Root Account.
- Create
individual IAM users
- Use
group to assign permissions
- Follow
the “Principal of Least Privilege”
Below is the Video for the IAM users and groups :
Few important points on root user :-
The Root User is initially the only principal(identity) that can authenticate to the account and the only principal authorized to do so.
Root User is specific to an account.
Root user can create IAM principals that can also authenticate to the account and can be authorized to act with granular permissions.
Account Domains:
Aws accounts consist of three discrete domains :-
- Authentication
- Authorization
- Billing
By default, every AWS account has separate billing, users and permissions. If an account is exploited , the Blast Radius is limited to that specific account.
No comments:
Post a Comment