Skip to main content


Showing posts from January, 2019

AWS IAM in a nutshell

IAM users: Used for Human users, such as long term security credentials

IAM roles: Used for applications, automated services, they are short term security credentials. For example, a Lambda function wants to access EC2 instance.

IAM principal: An identity defines within an AWS account

Policies: Policies are permissions- they can be attached to Users, Groups or Roles. AWS authorizes every API call against the IAM policies that apply.

Breaking down IAM Policy (JSON files):

'Effect' clause: Describes if an action is allowed or not by setting 'Allow' or 'Deny'

'Action' clause: What all actions on a particular resource can be performed. A wild card (*) indicates all actions, which is very insecure permissions

'Resource' clause: Exact resource ARN.

Policies attached to Resources (more granular level IAM policies):

Generally IAM polcicies apply to Principal, but in some scenarios, the policies can be attached to individual resources too, such who can access th…