WAS IAM

What is IAM?

IAM is authentication + authorisation for resources

Feature: Add users to AWS account, set groups and permissions for these users, enable user to call AWS services APIs

IAM Principal: An identity in the IAM System

IAM Roles: IAM Principals that authenticate with temporary credentials

Use Cases For IAM Roles

• AWS compute environments (EC2 instances, lambda functions, etc …)
• credentials for federated identities (e.g. users in a directory)

IAM Users (less used): IAM Principle with long term credentials

STS: AWS Security Token Service: produce short term credentials for use by an IAM Role

AWS Accounts:

• not means customers or humans, more like a box of resouces that goes together in a workload.
• IAM is local to AWS Account.
• Any IAM Principal can assume IAM role across AWS accounts as long as policies allowed.

IAM Policy

There are two types of policies, one for principal, one for resources.

Example: Reading an object from an S3 bucket in another account.

Principal IAM policy for AWS Account 123456

{
  "Effect": "Allow",
  "Action": "S3: GetObject",
  "Resource": "arn:aws:s3:::example-bucket/*"
}

Resource-based IAM policy

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "123456"
  }
  "Action": "S3: GetObject",
  "Resource": "arn:aws:s3:::example-bucket/*"
}

Integration between Lambda and AWS IAM enables developers and administrators to explicit control the data and service accessible to an application by assigning it a security code. This approach ensures that credentials can be constrainted to the minimum necessary and that they posses limited lifespans.