Principal - This phrase is is used to describe any entity accessing resources within IAM.
ROOT User
- The first user when an AWS Account is created.
- Has complete Admin access by default, to ALL AWS Services.
- DO NOT USE EVERYDAY! Set up other users, groups etc. and lock the credentials for this account away.
Users
- These are accounts for people who access AWS resources (and some apps)
- They are a set of unique credentials and have no permissions by default.
- API keys generate for each user should not be stored on an EC2 instance.
- All users should have least privileges.
Groups
- A collection of users under one set of permissions
Policies
- These are documents which define one or more set of permissions to access AWS resources.
- Policies can be assigned to Users, Groups and Roles.
SID, Effect, Principal, Action, Resource, Condition
Roles and Temporary Security Tokens
- Roles assume or grant privileges between specific AWS resources for a set duration.
- They are temporary.
- When a Role is assumed, a Security Tokens is assigned temporarily between 15 mins and 36 hours.
- Since February 2017, you can now add an IAM Role to an EC2 instance once its created.
Cross-Account Access
- IAM Roles can be configured to grant users in other accounts permissions to resources in your account. The users in the other accounts will then assume the role to access resources in your account.
Federation
- This allows users who have an AD account access (or Facebook/Google) to have to AWS console with out having an IAM account in the AWS account. AD uses SAML, Google/Facebook uses OpenID Connect.
- A temporary token is issued, associated with a Role, to the Identity Provider and this then calls the AWS API.
Authentication
IAM authenticates using...
- USERNAME/PASSWORD (CONSOLE)
- ACCESS KEY/SECRET KEY (API/CLI)
- ACCESS KEY/SESSION TOKEN (ASSUMED ROLE)
- MFA
No comments:
Post a Comment