IAM Policy Conditions
- Refer Here for conditions
- Refer Here for actions, resources and conditions table
- Refer Condition operators from here
- Lets create an IAM Policy for a user to have access only on mumbai region
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"account:EnableRegion",
"account:DisableRegion"
],
"Resource": "*",
"Condition": {
"StringEquals" : {
"account:TargetRegion": "ap-south-1"
}
}
}
]
}
- Conditions will always have a link to actions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*instance*",
"Resource": "*",
"Condition": {
"StringEquals" : {
"ec2:InstanceType": "t2.micro"
}
}
}
]
}
- Always test your policies with IAM Policy simulator Refer Here
- In the IAM Policy, we can specify Resource and Not Resource where we mention access to specific resources using ARNs.
Enabling Multifactor Authentication in AWS
Identity Providers and Federation
- If your organization already manages identities outside AWS, we can use IAM identity providers instead of creating IAM users.
- You can create IAM identity provider and establish a trust relationship with AWS account.
- AWS supports Identity Providers compatible with
- OpenID Connect
- SAML 2.0
- Other important use case is connecting existing Active Directory/LDAP users/groups into AWS