Skip to main content


Showing posts from January, 2019

AWS IAM in a nutshell

IAM users: Used for Human users, such as long term security credentials IAM roles: Used for applications, automated services, they are short term security credentials. For example, a Lambda function wants to access EC2 instance. IAM principal: An identity defines within an AWS account Policies: Policies are permissions- they can be attached to Users, Groups or Roles. AWS authorizes every API call against the IAM policies that apply. Breaking down IAM Policy (JSON files): 'Effect' clause: Describes if an action is allowed or not by setting 'Allow' or 'Deny' 'Action' clause: What all actions on a particular resource can be performed. A wild card (*) indicates all actions, which is very insecure permissions 'Resource' clause: Exact resource ARN. Policies attached to Resources (more granular level IAM policies): Generally IAM polcicies apply to Principal, but in some scenarios, the policies can be attached to individual resources too, such who can