AWS IAM
- Groups can logically organize users.
- AWS IAM policies can be attached to
- user
- group
points to remember
- AWS IAM uses effective permissions by combining policies at group and user level
- When combined if there is a conflict between allow and deny, deny is always the winner.
Scenarios
- Allow S3 at group level and Deny S3 at user level. Effective is Deny S3
- Allow S3 at group level and Allow EC2 at user level
How does AWS policy look like and what it contains
-
AWS Policy is collection of rules referrred a statements which will have
- which resource
- effect (Allow or Deny)
- Actions (What can be done on the resource)
- What are the actions for each resource in AWS how will i know that. Refer Here for the documentation of Actions, Resources and conditions.
- User will have default deny to all resources and actions. Only what ever is allowed in the effective policy attached will be given access on.
Amazon Resource Name (ARN)
- For any resource created in AWS in any account ARN refers to a unique identifier.
- ARN can be calculated by some patterns.
Way of Working
- Find the resource and calculate arn
- figure out actions
- some times we need conditions
- JSON and IAM policy simulator Refer Here
