Identity and Access Management
- Root Account: Root Account refers to the super user in AWS with access to everything including bills
AWS can be accessed via
- Console Access:
- This refers to accessing aws from https://console.aws.amazon.com
- Here we login with username and password
- Programmatic Access:
- This refers to accessing aws from terminal (by typing commands) and sdk (by writing code)
- To login into aws we need secret key and access key
- Console Access:
Every AWS account will have unique account id
- For everything you create in AWS will have unique ARN (Amazon Resource Name)
Who can login into AWS? (IAM Users)
- Sometimes we might give access to an AWS Resource to access other AWS resources (IAM Roles)
- In AWS Authorization is provided by IAM Policies.
- In AWS we have two kinds of policies
- AWS Managed Policies: Policies written by AWS which are available for usage in all AWS Accounts
- Customer Managed Policies: These are created and maintained by Customers.
Lets create a user to access console
- Navigate to IAM
- Dont give any policies
- Lets login, Navigate to console in other browser or incognito Refer Here
- Root user has access to every thing
- The user tony stark doesnot have authorization.
- Now lets try to give tonystark some permissions by attaching policies
- Create two IAM users (dev1, dev2) and attach both of them to AmazonEC2FullAccess Policy.
- Create two IAM users (test1, test2) and attach both of them to AmazonEC2ReadOnlyAccess Policy.
- Login with all the four credentails and verify the access.
- Create two user groups developers with AmazonEC2FullAccess policy and testers with AmazonEC2ReadOnlyAccess
- This approach is useful for giving access based on user roles in your organization
- Best Practice is to
- Give common permissions at group level
- Specific permissions at user level
- AWS Policies either allow or deny access.