AWS IAM Roles

Study Notes

An IAM role is an IAM identity that can be assumed by anyone who needs to access AWS resources
Roles are used to delegate access to users or services that need to access AWS resources
Roles can be assumed by:
- IAM users
- AWS services (e.g. EC2, Lambda)
- External identities (e.g. Facebook, Google)
Benefits:
- Temporary security credentials are issued when a role is assumed
- No need to share long-term credentials
- Easy to manage access to AWS resources

An IAM policy is a document that defines a set of permissions
Policies are used to grant or deny access to AWS resources
Types of policies:
- Identity-based policies (attached to users, groups, or roles)
- Resource-based policies (attached to resources, e.g. S3 buckets)
- Organization-based policies (attached to an organization or organizational unit)
Policy structure:
- Version
- Statement (one or more)
- Effect (Allow or Deny)
- Action (e.g. s3:GetObject)
- Resource (e.g. arn:aws:s3:::my-bucket)

An IAM user is an entity that represents a person or service that interacts with AWS resources
Users can be created and managed in IAM
Users can be assigned:
- Access keys (long-term credentials)
- Passwords (for console access)
- MFA devices (for added security)
Users can be members of groups

An IAM group is a collection of IAM users
Groups can be used to simplify user management
Groups can be assigned policies
Benefits:
- Easier to manage large numbers of users
- Simplifies permission management

Access keys are long-term credentials used to access AWS resources
Access keys consist of:
- Access key ID (public)
- Secret access key (private)
Types of access keys:
- Root access keys (created for the root user)
- IAM user access keys (created for IAM users)
Best practices:
- Rotate access keys regularly
- Use IAM roles instead of access keys when possible
- Never share access keys

IAM roles are identities that can be assumed by users or services to access AWS resources
Roles delegate access to users or services that need to access AWS resources
Roles can be assumed by IAM users, AWS services, and external identities
Roles provide temporary security credentials, eliminating the need to share long-term credentials

IAM policies define a set of permissions for accessing AWS resources
Policies grant or deny access to AWS resources
There are three types of policies: identity-based, resource-based, and organization-based policies
Policy structure consists of version, statement, effect, action, and resource
Policies can be attached to users, groups, roles, resources, or organizations

IAM users are entities that represent people or services interacting with AWS resources
Users can be created and managed in IAM
Users can be assigned access keys, passwords, and MFA devices
Users can be members of groups

IAM groups are collections of IAM users
Groups simplify user management and permission management
Groups can be assigned policies
Benefits of using groups include easier management of large numbers of users and simplified permission management

Access keys are long-term credentials used to access AWS resources
Access keys consist of an access key ID and a secret access key
There are two types of access keys: root access keys and IAM user access keys
Best practices for access keys include rotating them regularly, using IAM roles instead of access keys when possible, and never sharing access keys