- IAM consists of the following:
- Users
- Groups
- Roles
- Policy Documents
- IAM is Global. It doesn't apply to any specific region.
- There is no charge to use IAM.
- IAM is compliant with Payment Card Industry (PCI) Data Security Standard (DSS)
- The "root account" has complete Admin access.
- Don't use "root account" for everyday use. Instead, create users. A new user will have NO permissions by default. Grant least privilege needed for their job.
- New user will be assigned with password, Access Key ID & Secret Access Keys. The password will be used to login to AWS management console. Access Key ID & Secret Access Key will be used to login via the APIs and CLI
- Always setup MFA on your root account.
- Use Groups to assign permissions to IAM users
- Use Roles to Delegate permissions. Role is more secure than creating individual user. Roles gives temporary credentials for access; whereas User has long term credentials.
- Create and customize password rotation policies
- Policies can be attached to users, groups and roles. Use AWS defined policies, assign permissions wherever possible. Policy is defined in JSON format and contains version, statements, - effect, action, resource, principal, and condition.
- STS Security Token Service provides temporary security credentials to the trusted users. STS is global and there is no charge to use it.
- Digest: https://tutorialsdojo.com/aws-identity-and-access-management-iam/
- IAM best practices - Question might ask you to identify best practices among the given choices. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- Difference between when to use Role and User.
- IAM Policy Simulator - service for testing and troubleshooting IAM Policies. Details
Top comments (0)