AWS IAM Access Management
IAM Access Management
IAM Access Management is all in Permissions and Policies
Permission allows you define who has access to what information and what actions they can perform.
IAM Policy allows you to fine-tune the permissions granted by the policy owner
IAM Policy is a document that formally identifies one or more permissions.
The most restrictive Policy always wins
IAM policy basically states “Principal A is allowed or denied (effect) to perform Action B on Resource C given Conditions D are satisfied” “Version”: “2012-10-17”, “Statement”: “Principal”: “AWS”: [“arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:root”], “Action”: “s3:ListBucket”, “Effect”: “Allow”, “Resource”: “arn:aws:s3:::example_bucket”, “Condition”: “StringLike”: “s3:prefix”: [ “home/$aws:username/” ]
An entity can be associated with multiple policies. A policy can have multiple statements. Each statement in a policy can refer to a single permission. A logical OR is applied to multiple statements in a policy when it is evaluated. Similar to above, if multiple policies apply to a request, a logic OR is applied across all policies at evaluation time.
Principal can either be specified within the Policy for resource Based policies while for user bases policies the principal is the user, group or role to which the policy is attachedIdentity-Based vs Resource-Based Permissions
Identity-based, or IAM permissionsIdentity-based, or IAM permissions are attached to an IAM user, group, or role and specify what the user, group or role can do
Principal acts as user, group, or the role itself.
IAM permissions are available for almost all AWS services
IAM Policies can be either inline or managed
Version 2012-10-17 of the IAM Policy
Resource-based permissionsResource-based permissions are attached to a resource for e.g. S3, SNS
Resource-based permissions specify who has access to the resource (Principal), and what actions they have (Actions).
Resource-based policies cannot be managed, but are only inline.
Some AWS services do not support resource-based permissions
Resource-based policies are attached inline to the policy and are not managed
Version 2012-10-17, 2008-10-17Managed Policy or Inline Policy can be used to define resource-based policies
Managed policiesManaged policy are Standalone policies that can attach to multiple users, groups and roles in an AWS Account.
Managed policies only apply to identities (users and groups) and not to resources.
Managed policies allow for reusability
Versions are limited to 5 for managed policy changes. A new change to an existing policy creates a new copy. This allows you to compare the changes and revert back if necessary.
Managed policies come with their own ARN
There are two types of managed policy: AWS managed policiesManaged policies that can be created and managed by AWS
These policies can be maintained and upgraded by AWS for e.g. If a new service is launched, it automatically affects all principals that are attached to the policy.
AWS ensures that policies are not broken, e.g. Adding a restriction on the removal of permission
Managed policies can’t be modified
Policies managed by customers
Customers can manage their policies more precisely than AWS managed policies.
Inline policiesInline policy are created and managed directly by you and embedded into a single user group, role, or role.
The In-Line policy and IAM Policy Simulator are deleted when the Entity (User or Group or Role) is deleted.
IAM Policy Simulator allows you to test and troubleshoot IAM policies and resource-based policies
IAM Policy Simulator is a tool that can be used to test IAM-based policies. If multiple policies