IAM Users and Groups

Principals and IAM identities

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301363

🔧 Principal = an unidentified entity trying to access AWS
- A Principal can be a person, an app, a computer, a service, or a group of any of those
Process to access AWS resources and actions:
1. AUTHENTICATION: Principal authenticates against an IAM identity → Principal proves to AWS that it is indeed the identity it claims to be
  - IAM users authenticate with long-term credentials (username + password, or access keys)
  - IAM roles authenticate with short-term credentials (generated by Amazon STS or Secure Token Service)
  - After authentication process is complete, the Principal is now an authenticated identity → AWS knows which policies apply to that identity
2. AUTHORIZATION: an authenticated identity can only perform authorized actions
  - Authorized actions are determined in the statements of policies that apply or are attached to the authenticated identity
  - AWS merges all policies that apply to a Principal into a set of permissions

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301363

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301364

🔧 IAM identity with long-term credentials
- Use for e.g. humans, apps or service accounts
- 💡 If you can picture ONE THING (one single, named thing) to act as principal → 99% of the time it will be an IAM user
‼️ Hard limit of 5000 IAM users per account → impacts design of solution
- 💡 If you have a mobile app with a million users, can't map each mobile user with an IAM user! Must design in a different way, e.g. with IAM roles or identity federation!

Ref: https://learn.cantrill.io/courses/1820301/lectures/41301365

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301366

🔧 A container of IAM users
- Facilitates management/administration of those users
  - An IAM policy attached to an IAM group will apply to ALL users in that group
  - Updating a policy in a group will automatically update it to all its users