AWS Series — How to set permissions with IAM
In Cloud Computing world, the security is the key. It is the way we provide access to the users. The right authorization is always to be maintained for integrity.
How do we control Permissions using IAM?
We assign permissions using policy documents, which is made up of JSON ( Java script Object Notation)
The above shown is an example of simple policy document. Let us understand what each one of them represent. The statement represents key value pair which has 3 important keys which is Effect — allow or deny permissions for the user. Action represent for the actions to be restricted or allowed. Here it is wild card which means we are allowing all actions of the user. Resource is the resources in the AWS like S3, EC2 etc., wildcard here represent the user is allowed to perform any operation on any resource which is a administrator role.
IAM policies can be assigned to Groups, Users and Roles
If every user has an associated policy document, it would be difficult to manage them. So we assign policy to a Group and add the user to the group. The user inherits the permissions from the group.
What if we have AWS resources needing permissions to access other resources. This is possible through creating a role with certain policies and assigning it to the resources. For Example, EC2 trying to access the RDS database. It would need permissions to read and write to the RDS resources. This is defined through the role.
IAM work at Global level and not specific to regions. We can’t have any user specific to any region
There are some Policies that AWS provides and the orange symbol with it represent it is the AWS policy. We can also create policy
If we look inside the Administrator access, the permissions has all the services. If we want to look at the policy document go inside the document and click on JSON to see the policy document
This is all about policy documents.
AWS Identity and Access Management (IAM) is a service that allows AWS customers to manage user access and permissions for the accounts and available APIs/services within AWS. IAM can manage users, security credentials (such as API access keys), and allow users to access AWS resources. In this lab, we discover how security policies affect IAM users and groups, and we go further by implementing our own policies while also learning what a role is, how to create a role, and how to assume a role as a different user. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session. By the end of this lab, you will understand IAM policies and roles, and how assuming roles can assist in restricting users to specific AWS resources. AWS Documentation: [IAM roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html).
References — AcloudGuru
