AWS学习笔记（四）：IAM (Identity and Access Management)

IAM: Users & Groups

• Global service
• Root account created by default, shouldn’t be used or shared
• Users are people within your organization, and can be grouped
• Groups only contain users, not other groups
• Users don’t have to belong to a group, and user can belong to multiple groups

IAM: Permissions

• Users or Groups can be assigned JSON documents called policies
• These policies define the permissions of the users
• In AWS you apply the least privilege principle: don't give more permissions than a user needs

IAM Policies Structure

Version: policy language version, always include "2012-10-17"
Id: an identifier for the policy (optional)
Statement: one or more individual statements (required)

• Sid: an identifier for the statement (optional)
• Effect: whether the statement allows or denies access (Allow, Deny)
• Principal: account/user/role to which this policy applied to
• Action: list of actions this policy allows or denies
• Resource: list of resources to which the actions applied to
• Condition: conditions for when this policy is in effect (optional)

使用标签控制对 IAM 用户和角色的访问以及他们进行的访问

How can users access AWS ?

• AWS Management Console (protected by password + MFA)
• AWS Command Line Interface (CLI): protected by access keys (is built on AWS SDK for Python)
• AWS Software Developer Kit (SDK) - for code: protected by access keys

IAM Roles for Services

IAM Security Tools

IAM Credentials Report (account-level):

• a report that lists all your account's users and the status of their various credentials

IAM Access Advisor (user-level):

• Access advisor shows the service permissions granted to a user and when those services were last accessed
• You can use this information to revise your policies

IAM Guidelines & Best Practices

• Don’t use the root account except for AWS account setup
• One physical user = One AWS user
• Assign users to groups and assign permissions to groups
• Create a strong password policy
• Use and enforce the use of Multi Factor Authentication (MFA)
• Create and use Roles for giving permissions to AWS services
• Use Access Keys for Programmatic Access (CLI / SDK)
• Audit permissions of your account with the IAM Credentials Report
• Never share IAM users & Access Keys

Shared Responsibility Model for IAM