Summary: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/26047854
Refresher: Intro to IAM
AWS IAM 101
Accessing AWS Accounts
IAM Access Keys
IAM Identities
Ref: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20054584 and https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/20054638
- Users: long-term credentials
- Usually an IAM user is mapped to a physical user that can log in to AWS account
- Groups: containers for IAM users
- Facilitate management: assigning a policy to a group automatically assigns it to all members of a group
- ‼️ IAM groups, unlike users and roles, can NOT log in to an AWS account!!
- Roles: short-term credentials
- Usually for AWS services (e.g. EC2 instances, Lambda functions) that perform actions on your resources on your behalf → service assumes the role, performs action, credentials expire
- Can also be used to grant federated access to external users (e.g. an app user logs with their Facebook account, they can assume a role to access resources in your account)
IAM Policy
Ref: https://www.udemy.com/course/aws-certified-cloud-practitioner-new/learn/lecture/26623452
- 🔧 JSON document that outlines permissions (grant/deny access to certain services and resources)
- Identity policy: can be assigned to IAM identities (users, groups, and roles)
- Resource policy: attached to an AWS resource, allows/block access to certain identities
- e.g. S3 bucket policy blocking all access except for identities with an IP address in a certain range