Skip to main content


Showing posts from September, 2019

Breaking down AWS IAM terminologies

AWS IAM (Identity and Access Management) in one of the most complex and misunderstood concepts. It's easy to make mistakes while defining proper permissions for resources in the account or cross account. Here are a few basic terminologies from IAM: IAM users: Used for Human users, such as long term security credentials IAM roles: Used for applications, automated services, they are short term security credentials. For example, a Lambda function wants to access EC2 instance. IAM principal: An identity defines within an AWS account Policies: Policies are permissions- they can be attached to Users, Groups or Roles. AWS authorizes every API call against the IAM policies that apply. Breaking down IAM Policy (JSON files): 'Effect' clause: Describes if an action is allowed or not by setting 'Allow' or 'Deny' 'Action' clause: What all actions on a particular resource can be performed. A wild card (*) indicates all actions, which is very insecur