摘要:IAM 1. Users & Groups IAM = Identity and Access Management, Global Service Root account created by default, shouldn’t be used or shared Users are people within your organization, can be grouped Groups only contain users, not other groups Users do
IAM
1. Users & Groups
IAM = Identity and Access Management, Global Service Root account created by default, shouldn’t be used or shared Users are people within your organization, can be grouped Groups only contain users, not other groups Users don’t have to belong to a group (one User can be assigned with Inline Policy), and user can belong to multiple groups Users and Groups can be assigned JSON documents called policies which define the permissions of users Least Privilege Principle: don’t give more permissions than a user needs
2. Policies & IAM Roles
Policy Structure:
Version: policy language version, always include “2012-10-17”
Id: an identifier for the policy (optional)
Statement: one or more individual statements (required)
Sid: an identifier for the statement (optional)
Effect: whether the statement allows or denies access (Allow, Deny)
Principal: account/user/role to which this policy applied to
Action: list of actions this policy allows or denies
Resource: list of resources to which the actions applied to
AWS Policy Generator AWS Policy Simulator
IAM Roles: we will assign permissions to AWS services with IAM Roles IAM Security Tools:
IAM Credentials Report (account level): list all your account’s users and the status of their various credentials
IAM Access Advisor (user level): shows the service permissions granted to a user and when those services were last accessed
3. AWS EC2 Instance Metadata
URL = “http://169.254.169.254/latest/meta-data/”
can retrieve the IAM Role name from the metadata, but cannot retrieve the IMA Policy
Metadata = info about EC2 instance
Userdata = launch script of the EC2 instance
4. Security Token Service (STS)
allows to grant limited and temporary access to AWS resources
AssumeRole:
within your own account: for enhanced security
cross account access: assume role in target account to perform actions there
AssumeRoleWithSAML: return credentials for user logged with SAML
AssumeRoleWithWebIdentity: return credentials for user logged with idp(facebook login, google login), aws against using this, and using Cognito instead
GetSessionToken: for MFA, from a user or AWS account root user