{"id":1770,"date":"2019-08-07T06:56:24","date_gmt":"2019-08-07T06:56:24","guid":{"rendered":"https:\/\/www.testpreptraining.com\/tutorial\/?page_id=1770"},"modified":"2020-05-02T06:45:43","modified_gmt":"2020-05-02T06:45:43","slug":"iam-roles-and-policies","status":"publish","type":"page","link":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/","title":{"rendered":"Learning about IAM Roles and Policies"},"content":{"rendered":"\n<p><strong>Users<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Are the individual accounts.<\/li><li>By default, new users don\u2019t have access to any AWS services.<\/li><li>Always set up MFA (Multifactor Authentication) on your root account.<\/li><li>IAM can be used to create and customise password rotation policies.<\/li><li>There are two ways to access AWS:\n<ul>\n<li>Username + Password<\/li>\n<\/ul>\n<ul>\n<li>Access Key ID + Secret Access Key<\/li>\n<\/ul>\n<\/li><li>Username and Password\n<ul>\n<li>Cannot be used to interact with the API<\/li>\n<\/ul>\n<ul>\n<li>Can be used to sign in via a custom sign-in link which you can create via the IAM console<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p><strong>Access Key ID and Secret Access Key<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Assigned on user creation<\/li><li>Can be used to interact via the AWS command line, SDKs, or APIs.<\/li><li>Not the same as Username and Password.<\/li><li>Can only be viewed once. If you lose them, they need to be regenerated. Save them in a secure location.<\/li><\/ul>\n\n\n\n<p><strong>Groups<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>A collection of IAM users<\/li><li>simplifying the assigning of permissions<\/li><li>Usually groups for different departments like Sales, HR, etc,<\/li><li>A user can belong to multiple groups (10 max)<\/li><li>Cannot be nested and can only have users within it<\/li><li>No default group to hold all users<\/li><li>Renaming of a group name or path, &nbsp;w.r.t to policies attached to the group, unique ids, users within the group.<\/li><li>IAM does not update policies where group is mentioned as a resource and must be handled manually<\/li><li>Group deletion requires detaching users and managed policies and delete any inline policies.<\/li><li>all require different levels of AWS access.\n<ul>\n<li>A user can belong to multiple groups<\/li>\n<\/ul>\n<ul>\n<li>Groups cannot belong to other groups<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p><strong>Roles<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Roles can be used by,\n<ul>\n<li>an IAM user in the same AWS account as the role<\/li>\n<\/ul>\n<ul>\n<li>an IAM user in a different AWS account than the role<\/li>\n<\/ul>\n<ul>\n<li>a web service offered by AWS such as Amazon Elastic Compute Cloud (Amazon EC2)<\/li>\n<\/ul>\n<ul>\n<li>an external user authenticated by an external identity provider (IdP) service that is compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker.<\/li>\n<\/ul>\n<\/li><li>You can create roles, then assign them to AWS resources.<\/li><li>Example \u2013 For an EC2 instance, give it a role saying it can access S3. So, access S3 without usernames, passwords, etc.<\/li><li>Limited to 500 IAM roles under AWS account.<\/li><li>API Actions for assuming roles:\n<ul>\n<li>AssumeRole\n<ul>\n<li>You cannot call AssumeRole by using AWS root account credentials; access is denied. You must use credentials for an IAM user or an IAM role to call AssumeRole.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>AssumeRoleWithSAML &#8211; for when users have been authenticated via a SAML authentication response, i.e. an on-premises VPC<\/li>\n<\/ul>\n<ul>\n<li>AssumeRoleWithWebIdentity (when users have been authenticated in a mobile app or web app with a web identity provider suh as Facebook, Google, or OpenID connect)<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">Role types:<\/span><\/strong><\/p>\n\n\n\n<p><strong>AWS Service<\/strong><\/p>\n\n\n\n<p>Another AWS Account (allows entities in other accounts to perform actions in the current account)<\/p>\n\n\n\n<p>Web Identity (Amazon, Cognito, Facebook, Google)<\/p>\n\n\n\n<p>SAML \/ OpenID Connect<\/p>\n\n\n\n<p>API Actions for assuming roles:<\/p>\n\n\n\n<p><strong>AssumeRole<\/strong><\/p>\n\n\n\n<p>You cannot call AssumeRole by using AWS root account credentials; access is denied. You must use credentials for an IAM user or an IAM role to call AssumeRole.<\/p>\n\n\n\n<p>AssumeRoleWithSAML &#8211; for when users have been authenticated via a SAML authentication response, i.e. an on-premises VPC<\/p>\n\n\n\n<p>AssumeRoleWithWebIdentity (when users have been authenticated in a mobile app or web app with a web identity provider suh as Facebook, Google, or OpenID connect)<\/p>\n\n\n\n<p><strong>IAM Policies<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Each IAM Policy must contain the Resource property<\/li><li>Policies consist of 3 main components, Action, Resource, and Effect<\/li><li>Effect &#8211; Whether the policy allows or denies access<\/li><li>Action \u2013 The list of actions that are allowed or denied by the policy<\/li><li>Resource \u2013 The list of resources on which the actions can occur<\/li><li>Condition (Optional) \u2013 The circumstances under which the policy grants permission<\/li><li>Roles are more secure than programmatic access, and should always be used as the first resort where possible<\/li><li>All IAM users should have MFA (Multi-Factor Authentication) enabled<\/li><li>Policy Types\n<ul>\n<li>Identity-based policies &#8211; Attach to an IAM identity &#8211; IAM user, group, or role. Control what actions the identity can perform\n<ul>\n<li>Managed policies \u2013 Standalone identity-based policies that you can attach to multiple users, groups, and roles in your AWS account. You can use two types of managed policies:\n<ul>\n<li>AWS managed policies \u2013 created and managed by AWS.<\/li>\n<\/ul>\n<ul>\n<li>Customer managed policies \u2013 User create and manage in AWS account using visual editor or by creating the JSON policy document directly.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li>Inline policies \u2013 Policies that you create and manage and that are embedded directly into a single user, group, or role. Not recommended using them.<\/li>\n<\/ul>\n<ul>\n<li>Resource-based policies &#8211; Attach to a resource &#8211; Amazon S3 bucket or an IAM role trust policy.<\/li>\n<\/ul>\n<\/li><\/ul>\n\n\n\n<p><strong>Policy Example<\/strong><\/p>\n\n\n\n<p>{<\/p>\n\n\n\n<p>&#8220;Version&#8221;: &#8220;2012-10-17&#8221;,<\/p>\n\n\n\n<p>&#8220;Statement&#8221;: {<\/p>\n\n\n\n<p>&#8220;Effect&#8221;: &#8220;Allow&#8221;,<\/p>\n\n\n\n<p>&#8220;Action&#8221;: &#8220;s3:ListBucket&#8221;,<\/p>\n\n\n\n<p>&#8220;Resource&#8221;: &#8220;arn:aws:s3:::example_bucket&#8221;<\/p>\n\n\n\n<p>}<\/p>\n\n\n\n<p>}<\/p>\n\n\n\n<p>The above allow a ListBucket Request to be performed on the example_bucket S3 bucket for example.<\/p>\n\n\n\n<p><strong>Enrich your profile and get ready to qualify as <a href=\"https:\/\/www.testpreptraining.ai\/aws-certified-solutions-architect-associate-practice-exam\">AWS Solutions Architect Associate<\/a> with hundreds of Free Practice Test Now!<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Users Are the individual accounts. By default, new users don\u2019t have access to any AWS services. Always set up MFA (Multifactor Authentication) on your root account. IAM can be used to create and customise password rotation policies. There are two ways to access AWS: Username + Password Access Key ID + Secret Access Key Username&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":383,"menu_order":40,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[7,304,305],"class_list":["post-1770","page","type-page","status-publish","hentry","category-amazon-aws","tag-aws","tag-iam-roles","tag-policies"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Learning about IAM Roles and Policies - Testprep Training Tutorials<\/title>\n<meta name=\"description\" content=\"Enrich your profile and get ready to qualify as AWS Solutions Architect Associate. Learn more about IAM Roles and Policies and Try Free Practice Test Now!\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Learning about IAM Roles and Policies - Testprep Training Tutorials\" \/>\n<meta property=\"og:description\" content=\"Enrich your profile and get ready to qualify as AWS Solutions Architect Associate. Learn more about IAM Roles and Policies and Try Free Practice Test Now!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/\" \/>\n<meta property=\"og:site_name\" content=\"Testprep Training Tutorials\" \/>\n<meta property=\"article:modified_time\" content=\"2020-05-02T06:45:43+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/\",\"name\":\"Learning about IAM Roles and Policies - Testprep Training Tutorials\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\"},\"datePublished\":\"2019-08-07T06:56:24+00:00\",\"dateModified\":\"2020-05-02T06:45:43+00:00\",\"description\":\"Enrich your profile and get ready to qualify as AWS Solutions Architect Associate. Learn more about IAM Roles and Policies and Try Free Practice Test Now!\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS Certified SysOps Administrator &#8211; Associate (SOA-C01)\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Learning about IAM Roles and Policies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"name\":\"Testprep Training Tutorials\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\",\"name\":\"Testprep Training\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"contentUrl\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"width\":583,\"height\":153,\"caption\":\"Testprep Training\"},\"image\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Learning about IAM Roles and Policies - Testprep Training Tutorials","description":"Enrich your profile and get ready to qualify as AWS Solutions Architect Associate. Learn more about IAM Roles and Policies and Try Free Practice Test Now!","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/","og_locale":"en_US","og_type":"article","og_title":"Learning about IAM Roles and Policies - Testprep Training Tutorials","og_description":"Enrich your profile and get ready to qualify as AWS Solutions Architect Associate. Learn more about IAM Roles and Policies and Try Free Practice Test Now!","og_url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/","og_site_name":"Testprep Training Tutorials","article_modified_time":"2020-05-02T06:45:43+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/","url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/","name":"Learning about IAM Roles and Policies - Testprep Training Tutorials","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website"},"datePublished":"2019-08-07T06:56:24+00:00","dateModified":"2020-05-02T06:45:43+00:00","description":"Enrich your profile and get ready to qualify as AWS Solutions Architect Associate. Learn more about IAM Roles and Policies and Try Free Practice Test Now!","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/iam-roles-and-policies\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/tutorial\/"},{"@type":"ListItem","position":2,"name":"AWS Certified SysOps Administrator &#8211; Associate (SOA-C01)","item":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-sysops-administrator-associate\/"},{"@type":"ListItem","position":3,"name":"Learning about IAM Roles and Policies"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","name":"Testprep Training Tutorials","description":"","publisher":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization","name":"Testprep Training","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","contentUrl":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","width":583,"height":153,"caption":"Testprep Training"},"image":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/1770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/comments?post=1770"}],"version-history":[{"count":3,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/1770\/revisions"}],"predecessor-version":[{"id":5241,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/1770\/revisions\/5241"}],"up":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/383"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/media?parent=1770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/categories?post=1770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/tags?post=1770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}