IAM
Groups
- Groups can only contain users, not other groups
User Permissions
- Permission Boundaries can be set for a user account. They control the maximum permissions for the user. This can be helpful to delegate permission management to other users.
- Permissions can be defined on a user account using a built-in policy or by adding the user to a group with defined permissions
- You can create an access key for a user that can be used to access AWS APIs via the CLI, an Application, third party service, etc.
- Permission policies are defined in JSON documents known as IAM policies:
{ "Version": "2012-10-17", "Statement": [ { "Action": "ec2:*", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ec2:Region": "us-east-2" } } } ] } - Modifying custom IAM policies creates a new version of that policy
Password Policy
- You can define a password policy in IAM
- Typical password policy settings
MFA
- MFA Device Options
- Virtual MFA Device
- Google Authenticator
- Authy
- Universal 2nd Factor (U2F) Security Key
- Yubikey
- Hardware Key Fob
- Provided By Gemalto (3rd party)
- Hardware Device for AWS GovCloud
- Provided by SurePassID
- Virtual MFA Device
Roles
- Used to provide access to AWS services
- For example, provide an EC2 instance access to an S3 bucket
Security Tools in IAM
- Credential Report: Generates a CSV file contains details about user accounts
- Security Access Advisor: Accessible from an individual account in IAM. Shows what AWS services the AWS account is accessing.