- Users refer to individual accounts.<\/li>
- New users are not given to any AWS services, by default.<\/li>
- MFA (Multifactor Authentication) can configure for root account.<\/li>
- IAM provide facility to create and customise password rotation policies in AWS.<\/li>
- There are two ways to access AWS:
- Username + Password <\/li><\/ul>
- Access Key ID + Secret Access Key <\/li><\/ul><\/li>
- Username and Password
- Cannot interact with API <\/li><\/ul>
- custom sign-in link created by IAM console for sign in <\/li><\/ul><\/li><\/ul>\n\n\n\n
Access Key ID and Secret Access Key<\/p>\n\n\n\n
- Assigned on user creation only<\/li>
- Keys also enable interaction by
- the AWS command line <\/li><\/ul>
- SDKs <\/li><\/ul>
- APIs. <\/li><\/ul><\/li>
- Keys are not Username or Password.<\/li>
- User can only view them once.<\/li>
- They need to regenerate if lost<\/li>
- Should be stored in a secured location<\/li><\/ul>\n\n\n\n
Groups<\/strong><\/h4>\n\n\n\n
- Refer to a \u00a0collection of IAM users<\/li>
- It helps to simplify assignment of permissions<\/li>
- It extensively denote individual departments in a company like Sales, HR, etc,<\/li>
- Maximum of 10 groups can assign to a user<\/li>
- Groups cannot have sub-groups as no nesting is permitted<\/li>
- A group can only have users an no sub-groups<\/li>
- There is no default group in AWS, for holding all users<\/li>
- Any renaming of a group name or its path,\u00a0 reflects on policies attach to group, unique ids, users within the group.<\/li>
- AWS IAM is not responsible to update policies if group list as a resource but it handled manually<\/li>
- Group deletion involves detaching users and policies from the group and, deletion of inline policies.<\/li>
- Varied access level for AWS service is needed as
- A user can belong to multiple groups <\/li><\/ul>
- Groups cannot belong to other groups <\/li><\/ul><\/li><\/ul>\n\n\n\n
Roles<\/strong><\/h4>\n\n\n\n
- Roles are used by any of the following
- AWS IAM user present in same AWS account as role <\/li><\/ul>
- Then, AWS IAM user present in different AWS account than role <\/li><\/ul>
- AWS offered web service like EC2 <\/li><\/ul>
- external user that validates using IdP (external identity provider) compliant to SAML 2.0\/OpenID Connect <\/li><\/ul><\/li>
- AWS resources can also assign to roles you create
- Like\u2013EC2 instance having role to access S3, which is without any usernames, passwords, etc. <\/li><\/ul><\/li>
- Limited to 500 IAM roles under AWS account.<\/li>
- API Actions for assuming roles:
- AssumeRole
- Can\u2019t call AssumeRole from AWS root account credentials. use credentials for AWS IAM user or IAM role to call AssumeRole. <\/li><\/ul><\/li><\/ul>
- AssumeRoleWithSAML \u2013users are validated by SAML authentication response, like an on-premises VPC <\/li><\/ul>
- AssumeRoleWithWebIdentity \u00a0– users are validated by in mobile\/web app using a web based identity provider like Facebook\/Google <\/li><\/ul><\/li><\/ul>\n\n\n\n
Role types:<\/p>\n\n\n\n
- AWS Service<\/li>
- Another AWS Account (allowing entity in other AWS accounts to act in current account)<\/li>
- Web Identity (Amazon, Cognito, Facebook, Google)<\/li>
- SAML \/ OpenID Connect<\/li><\/ul>\n\n\n\n
IAM Policies<\/h6>\n\n\n\n
- Resource property is a must in every IAM Policy<\/li>
- Policies have 3 main parts – Action, Resource, and Effect<\/li>
- Effect \u2013 refers to result i.e., access is allowed or denied by policy<\/li>
- Action \u2013 Allowed action list, as per policy<\/li>
- Resource \u2013resource list on which actions can take place as per policy<\/li>
- Condition (Optional) \u2013 Situation under which policy gives permission<\/li>
- Roles as per their intrinsic capabilities, provide more security against programmatic access<\/li>
- Multi-Factor Authentication or MFA should enable for all users for more secured access<\/li>
- Policy Types
- Identity-based policies \u2013 It can attach to an IAM identity only like IAM user\/ group\/ role. To control what actions the assigned identity can perform, further classified as
- Managed policies \u2013 It is an standalone identity-based policy which can be attached to multiple users\/groups\/roles in the AWS account. Further two types, as
- AWS managed policies \u2013 creation and management by AWS <\/li><\/ul>
- Customer managed policies \u2013creation and management by user \u00a0by applying a visual editor or editing JSON policy document. <\/li><\/ul><\/li><\/ul><\/li><\/ul>
- Inline policies \u2013 User created and embedded into a single user\/group\/role. Not recommended as management is precarious <\/li><\/ul>
- Resource-based policies \u2013 Can only be attached to a resource like S3 bucket <\/li><\/ul><\/li><\/ul>\n\n\n\n
Policy Example<\/strong><\/h4>\n\n\n\n
{<\/p>\n\n\n\n
“Version”: “2012-10-17”,<\/p>\n\n\n\n
“Statement”: {<\/p>\n\n\n\n
“Effect”: “Allow”,<\/p>\n\n\n\n
“Action”: “s3:ListBucket”,<\/p>\n\n\n\n
“Resource”: “arn:aws:s3:::example_bucket”<\/p>\n\n\n\n
}<\/p>\n\n\n\n
}<\/p>\n\n\n\n
In the above listing, ListBucket Request can perform on example_bucket S3 bucket<\/p>\n\n\n\n
![\"IAM](\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-165-612x400.png\")
<\/figure>\n\n\n\nWeb Identity Federation<\/strong><\/h6>\n\n\n\n
- allows trusted third party to authenticate users<\/li>
- reduces efforts to create and manage users<\/li>
- removes providing multiple ID to users<\/li>
- Implements access control by roles<\/li>
- Providing temporary credential is recommended<\/li>
- Use External ID provider like Facebook\/Google<\/li><\/ul>\n\n\n\n
Standard Web Identity Federation<\/strong><\/h6>\n\n\n\n
- Mobile user authenticates with Web Identity provider<\/li>
- Web Identity provider or WIP, authenticates identity<\/li>
- Mobile user uses AssumeRole with STS or Security token service<\/li>
- STS validates from WIP and also gives receives success\/failure notification<\/li>
- Success response checks the Role Trust policy<\/li>
- Mobile User is provided a temporary access credentials in STS<\/li><\/ul>\n\n\n\n
Cognito<\/strong><\/h6>\n\n\n\n
- identity management and sync service<\/li>
- Supports
- Oauth 2.0 <\/li><\/ul>
- SAML 2.0 <\/li><\/ul>
- OpenID Connect <\/li><\/ul><\/li>
- 2 product streams<\/li>
- cognito identity pool \u2013 is a set of identities<\/li>
- Types of pools in Cognito
- User pools – user directory in Cognito. to sign in to web or mobile app and directory profile can be accessed by SDK. <\/li><\/ul>
- Identity pools – for temporary credentials to access AWS services, good for anonymous guest users <\/li><\/ul><\/li>
- allows 2 roles to associate one for authenticated user other for unauthenticated users<\/li>
- It can
- orchestrate generation of unauthenticated identity <\/li><\/ul>
- merge unauthaorised identity into authorised identity <\/li><\/ul>
- merge multiple entities into one object <\/li><\/ul><\/li>
- Cognito Authenticated flow types \u00a0
- Classic or Basic \u00a0– Login to Web Identity provider rest flow is unauthenticated flow <\/li><\/ul>
- Enhanced \u2013 every time communicate with Cognito <\/li><\/ul><\/li><\/ul>\n\n\n\n
Cognito Unauthenticated flow:<\/h6>\n\n\n\n
- A customer starts mobile app which asks for sign in.<\/li>
- App uses Amazon as web based identity provider<\/li>
- Cognito API exchange Login with Amazon ID token for a Cognito token.<\/li>
- Request for temporary credentials requests with Cognito token to STS<\/li>
- temporary credentials can access AWS resource<\/li><\/ol>\n","protected":false},"excerpt":{"rendered":"
Here, we will learn about IAM Roles and Policies. Users Users refer to individual accounts. New users are not given to any AWS services, by default. MFA (Multifactor Authentication) can configure for root account. IAM provide facility to create and customise password rotation policies in AWS. There are two ways to access AWS: Username +…<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":2474,"menu_order":38,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"footnotes":""},"categories":[2],"tags":[7,510],"class_list":["post-3084","page","type-page","status-publish","hentry","category-amazon-aws","tag-aws","tag-iam-roles-and-policies"],"acf":[],"yoast_head":"\n
IAM Roles and Policies - Testprep Training Tutorials<\/title>\n<meta name=\"description\" content=\"Upgrade your profile to become AWS Certified Security Specialty by understanding the concepts of IAM Roles and Policies Now!\u00a0\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"IAM Roles and Policies - Testprep Training Tutorials\" \/>\n<meta property=\"og:description\" content=\"Upgrade your profile to become AWS Certified Security Specialty by understanding the concepts of IAM Roles and Policies Now!\u00a0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/\" \/>\n<meta property=\"og:site_name\" content=\"Testprep Training Tutorials\" \/>\n<meta property=\"article:modified_time\" content=\"2022-03-03T10:24:51+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-165-612x400.png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/\",\"name\":\"IAM Roles and Policies - Testprep Training Tutorials\",\"isPartOf\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\"},\"datePublished\":\"2019-08-31T11:46:52+00:00\",\"dateModified\":\"2022-03-03T10:24:51+00:00\",\"description\":\"Upgrade your profile to become AWS Certified Security Specialty by understanding the concepts of IAM Roles and Policies Now!\u00a0\",\"breadcrumb\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"AWS Certified Security Specialty\",\"item\":\"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"IAM Roles and Policies\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#website\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"name\":\"Testprep Training Tutorials\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#organization\",\"name\":\"Testprep Training\",\"url\":\"https:\/\/www.testpreptraining.ai\/tutorial\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"contentUrl\":\"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png\",\"width\":583,\"height\":153,\"caption\":\"Testprep Training\"},\"image\":{\"@id\":\"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"IAM Roles and Policies - Testprep Training Tutorials","description":"Upgrade your profile to become AWS Certified Security Specialty by understanding the concepts of IAM Roles and Policies Now!\u00a0","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/","og_locale":"en_US","og_type":"article","og_title":"IAM Roles and Policies - Testprep Training Tutorials","og_description":"Upgrade your profile to become AWS Certified Security Specialty by understanding the concepts of IAM Roles and Policies Now!\u00a0","og_url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/","og_site_name":"Testprep Training Tutorials","article_modified_time":"2022-03-03T10:24:51+00:00","og_image":[{"url":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-content\/uploads\/2019\/09\/image-165-612x400.png"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/","url":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/","name":"IAM Roles and Policies - Testprep Training Tutorials","isPartOf":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website"},"datePublished":"2019-08-31T11:46:52+00:00","dateModified":"2022-03-03T10:24:51+00:00","description":"Upgrade your profile to become AWS Certified Security Specialty by understanding the concepts of IAM Roles and Policies Now!\u00a0","breadcrumb":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/iam-roles-and-policies-3\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.testpreptraining.ai\/tutorial\/"},{"@type":"ListItem","position":2,"name":"AWS Certified Security Specialty","item":"https:\/\/www.testpreptraining.ai\/tutorial\/aws-certified-security-specialty\/"},{"@type":"ListItem","position":3,"name":"IAM Roles and Policies"}]},{"@type":"WebSite","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#website","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","name":"Testprep Training Tutorials","description":"","publisher":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.testpreptraining.ai\/tutorial\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#organization","name":"Testprep Training","url":"https:\/\/www.testpreptraining.ai\/tutorial\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/","url":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","contentUrl":"https:\/\/www.testpreptraining.com\/tutorial\/wp-content\/uploads\/2020\/07\/tpt-logo-6.png","width":583,"height":153,"caption":"Testprep Training"},"image":{"@id":"https:\/\/www.testpreptraining.ai\/tutorial\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/comments?post=3084"}],"version-history":[{"count":8,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3084\/revisions"}],"predecessor-version":[{"id":51854,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/3084\/revisions\/51854"}],"up":[{"embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/pages\/2474"}],"wp:attachment":[{"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/media?parent=3084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/categories?post=3084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.testpreptraining.ai\/tutorial\/wp-json\/wp\/v2\/tags?post=3084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Enhanced \u2013 every time communicate with Cognito <\/li><\/ul><\/li><\/ul>\n\n\n\n
- Classic or Basic \u00a0– Login to Web Identity provider rest flow is unauthenticated flow <\/li><\/ul>
- merge unauthaorised identity into authorised identity <\/li><\/ul>
- orchestrate generation of unauthenticated identity <\/li><\/ul>
- User pools – user directory in Cognito. to sign in to web or mobile app and directory profile can be accessed by SDK. <\/li><\/ul>
- SAML 2.0 <\/li><\/ul>
- Oauth 2.0 <\/li><\/ul>
- Resource-based policies \u2013 Can only be attached to a resource like S3 bucket <\/li><\/ul><\/li><\/ul>\n\n\n\n
- Inline policies \u2013 User created and embedded into a single user\/group\/role. Not recommended as management is precarious <\/li><\/ul>
- Customer managed policies \u2013creation and management by user \u00a0by applying a visual editor or editing JSON policy document. <\/li><\/ul><\/li><\/ul><\/li><\/ul>
- AWS managed policies \u2013 creation and management by AWS <\/li><\/ul>
- Managed policies \u2013 It is an standalone identity-based policy which can be attached to multiple users\/groups\/roles in the AWS account. Further two types, as
- Identity-based policies \u2013 It can attach to an IAM identity only like IAM user\/ group\/ role. To control what actions the assigned identity can perform, further classified as
- AssumeRoleWithWebIdentity \u00a0– users are validated by in mobile\/web app using a web based identity provider like Facebook\/Google <\/li><\/ul><\/li><\/ul>\n\n\n\n
- AssumeRoleWithSAML \u2013users are validated by SAML authentication response, like an on-premises VPC <\/li><\/ul>
- Can\u2019t call AssumeRole from AWS root account credentials. use credentials for AWS IAM user or IAM role to call AssumeRole. <\/li><\/ul><\/li><\/ul>
- AssumeRole
- AWS offered web service like EC2 <\/li><\/ul>
- Then, AWS IAM user present in different AWS account than role <\/li><\/ul>
- AWS IAM user present in same AWS account as role <\/li><\/ul>
- Roles are used by any of the following
- Groups cannot belong to other groups <\/li><\/ul><\/li><\/ul>\n\n\n\n
- A user can belong to multiple groups <\/li><\/ul>
- SDKs <\/li><\/ul>
- the AWS command line <\/li><\/ul>
- custom sign-in link created by IAM console for sign in <\/li><\/ul><\/li><\/ul>\n\n\n\n
- Cannot interact with API <\/li><\/ul>
- Username + Password <\/li><\/ul>