Computer Science Wiki

Search

SearchSearch

IAM Users, Groups, Roles, and Policies

Sep 13, 20242 min read

In the IAM service, you can manage users, groups, roles and their associated permissions within your AWS environment.

Users and groups

Root user

When you first create an AWS account you created a root user account, this account has complete access to all AWS services and resources and ability to create and manage IAM users and groups. Root user account should not be used or shared to preserve the best practices, you don’t access the root user account unless you have task that requires root user credentials.

User

Root user or users have administrative privileges can create IAM users, each with unique credentials (username and password or access keys). IAM users can have specific permissions assigned to them.

Groups

IAM groups allows you to organise users and apply permissions to multiple users as a collection. When users are added to groups, the permissions associated with the group are automatically applied to those users. A user can be in multiple groups.

IAM roles

Some AWS services or entities will need to perform actions on your behalf, which you have to assign permissions to AWS services with IAM roles.

IAM policies

An IAM policy is an object in AWS that, when associated with an identity or resource, defines their permissions. Permissions in the policies determines whether a request is allowed or denied.

JSON Policy structure

A policy is declared in a JSON document, a policy language version (Version), an identifier for the policy (Id), one or more individual statements (Statement).

} 
	"Version": "2012-10-17",
	"Id": "S3-Account-Permissions",
	"Statement": [
		}
			"Sid": "1",
			"Effect": "Allow",
			"Principal": {
				"AWS": ["arn:aws:iam::123456789012:root"]
			},
			"Action": [
				"s3:GetObject",
				"s3:PutObject"
			],
			"Resource": ["arn:aws:s3:::mybucket/*"]
		}
	]
}

A statement consists of the following contents:

  • Sid (Optional) An identifier for the statement.
  • Effect Whether the statement allows or denies access.
  • Principal Account/user/role to which this policy applied to.
  • Action List of actions or API calls this policy allows or denies.
  • Resource List of resources to which the actions applied to.

Back to parent node: AWS Identity and Access Management (IAM)

Cloud_computingAWSAWS_CLF-C02AWS_SecurityAWS_IAM

Reference - Policies and permissions in IAM - IAM Policies

Graph View

Backlinks