IAM User, Group & Policy
IAM User & Group
- User represents the person or application within your organization that interacts with AWS console and services.
- When you create an AWS account, you create an AWS account root user that we should not share with anyone.
- We can create a user and add permission directly to the user.
- Multiple users can be part of a group or more than one group.
- A group is a collection of IAM users. Manage group membership as a simple list:
- A user can belong to multiple groups but groups cannot belong to other groups.
- Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
- IAM users can have any combination of credentials such as an AWS access key, X.509 certificate, SSH key, password for Console, and MFA login.
- We can also enable and disable an IAM user’s access keys.
- Users are global entities, No region is required to be specified when you create a user.
- A policy is an object in AWS that defines the permission of the AWS User.
- When you create an IAM user, they can’t access anything in your account until you give them permission.
- Types of policy
- Identity-based policies — AWS-managed policy and inline policies (customer-managed policy) that can be attached to the user, group, and role.
- Resource-based policies — The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies.
- Organizations service control policy (SCPs) — Permissions applied for AWS Organizations or organizational unit (OU) or entities within the member accounts.
- Access control lists (ACLs) — ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.
This is one of the examples of JSON policy.
Policy consists of
- Version: policy language version, always include “2012 -10–17”
- Id: an identifier for the policy (optional)
- Statement: one or more individual statements (required)
Statements consist of (maybe one or more statements)
- Sid: an identifier for the statement (optional
- Effect: whether the statement allows or denies access (Allow, Deny)
- Principal: account/user/role to which this policy applied to
- Action: list of actions this policy allows or denies
- Resource: list of resources to which the actions applied to
- Condition: conditions for when this policy is in effect (optional)