Authorizing IAM users in AWS
- AWS has policies which define permissions. Users can be atttached to one or more policies
- User effectively gets permssions defined in the policies
- AWS IAM Policies are of two types
- AWS Managed Policies:
- Predefined by AWS
- Generally operate at service level
- Customer Managed Policies
- AWS Managed Policies:
Lets give ec2 readonly and s3 full access to user
- To understand how policies work
Terms
- Principal: This is an entity accessing AWS
- Resource: This is an aws resource (ec2, s3 bucket ….). This could be anything that can be created or used in AWS. Every Resource in AWS has a unique name called as Amazon Resource Name (ARN)
- Action: This refers to action that can be performed on a Resource
- IAM Policy Grammar: This is all about defining permissions of
- who
- effect : Allow or deny
- Actions on what resources
- default effect is deny and in cases of conflicting effects i.e. allow vs deny deny is always the winner.
- Least Privilege Principle States give exact permission nothing less or nothing more than what is required to perform a job.
Principals
- In AWS we have following principals
- IAM User
- IAM Role: Role is an AWS service/resource trying to access other AWS service/resource.
- External identities: Users from active directories (SAML) or users from google or facebook (OIDC)
- Applications
JSON
- IAM Policies are writting in JSON format.
- JSON is collection of name value pairs
- basic name value pair syntax
"<name>": <value> - types of values
- text
- number
- boolean
- list
- object/map
