- IAM allows you to manage users and their level of access to the AWS console.
- IAM is global, no depends on region.
- Centralized control of your AWS account.
- Shared Access to your AWS control.
- Granular permissions.
- Identity Federation (including Active Directory, Facebook, LinkedIn, etc).
- MFA (Multi Factor Authentication.
- Provide temporary access for users/devices and services where necessary.
- Supports PCI DSS Compliance (Security standards).
- Supports password rotation Policies.
- Virtual/Hardware MFA device
- Users, End Users (think people).
- New Users have no permissions when first created but AWS assigned them an Access Key id and a Secret Access key.
- Secret key and Access key are visible only once. If the user loses them, the admin must regenerate them.
- Groups (A collection of users under one set of permissions).
- Roles (You create roles and can then assign them to AWS resources).
Policies are documents that defines one or more permissions.
- Applied to users groups or roles individually.
- Written in JSON.
- Not depends on region.
- Has the followings Statements: Effect (whether the policy allows or denies access), Action (the list of actions that are allowed or denied by the policy), Resource (the list of resources on which the actions can occur), Condition (the circumstances under which the policy grants permissions).
{
"Version": "2017-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
- PowerUserAccess: Provides full access to AWS Services and resources, but does not allow managements of Users and Groups.