• Summary
• Contents:

Principals and IAM identities

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301363

• 🔧 Principal = an unidentified entity trying to access AWS
  • A Principal can be a person, an app, a computer, a service, or a group of any of those
• Process to access AWS resources and actions:
  1. AUTHENTICATION: Principal authenticates against an IAM identity → Principal proves to AWS that it is indeed the identity it claims to be
     • IAM users authenticate with long-term credentials (username + password, or access keys)
     • IAM roles authenticate with short-term credentials (generated by Amazon STS or Secure Token Service)
     • After authentication process is complete, the Principal is now an authenticated identity → AWS knows which policies apply to that identity
  2. AUTHORIZATION: an authenticated identity can only perform authorized actions
     • Authorized actions are determined in the statements of policies that apply or are attached to the authenticated identity
     • AWS merges all policies that apply to a Principal into a set of permissions

IAM User

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301363

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301364

• 🔧 IAM identity with long-term credentials
  • Use for e.g. humans, apps or service accounts
  • 💡 If you can picture ONE THING (one single, named thing) to act as principal → 99% of the time it will be an IAM user

• ‼️ Hard limit of 5000 IAM users per account → impacts design of solution
  • 💡 If you have a mobile app with a million users, can't map each mobile user with an IAM user! Must design in a different way, e.g. with IAM roles or identity federation!

IAM Group

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301365

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301366

• 🔧 A container of IAM users
  • Facilitates management/administration of those users
    • An IAM policy attached to an IAM group will apply to ALL users in that group
    • Updating a policy in a group will automatically update it to all its users
• ‼️ NOT a Principal!!! → Do NOT overestimate functionality!!
  • ❗ An IAM Group has no credentials! → can't log into AWS as an IAM group
  • ❗ Can NOT be referenced in IAM resource policies (e.g. S3 bucket policies)!