Skip to content
Gallery
1. AWS Identity and Access Management (IAM)
AWS Identity and Access Management (IAM)
IAM Elements
IAM Authentication Methods
IAM Users
IAM Groups
IAM Roles
IAM Policy
Permission Boundary
IAM Policy Evaluation Logic
IAM Best Practices
Misc
Share
Explore

icon picker
IAM Elements

image.png

Principals
Definition: Entities that can take actions on AWS resources.
Types of Principals:
Administrative IAM User: The first principal.
Roles: Can be assumed by users and services.
Federated Users: Supported by IAM for external users.
Programmatic Access: Allows applications to access AWS accounts.
Common Principals: IAM users, roles, federated users, and applications.

Requests
Definition: Actions that principals want to perform on resources.
Request Channels: Console, CLI, SDKs, or APIs.
Components of Requests:
Actions: Operations to be performed.
Resources: Targets of the actions.
Principal Information: Including environment details.
Request Context: Collected by AWS and includes:
Principal (Requester) Information: Identity of the requester.
Aggregate Permissions: Permissions associated with the principal.
Environment Data: IP address, user agent, SSL status, etc.
Resource Data: Data related to the requested resource.

Authentication
Requirement: Principals must be authenticated to make requests.
Console Authentication: Requires user name and password.
API/CLI Authentication: Requires access key and secret key.

Authorization
Process: Uses request context values to match policies and determine permission.
Policy Types:
User (Identity) Based Policies: Attached to users, groups, and roles.
Resource-Based Policies: Attached directly to resources.
Policy Format: JSON documents specifying allowed or denied permissions.
Evaluation Logic:
Implicit Deny: Default state where all requests are denied.
Explicit Allow: Overrides implicit deny.
Explicit Deny: Overrides any explicit allows.
Root User: Has access to all resources by default.
Decision Making:
All matching policies are checked.
A single explicit deny results in the request being denied immediately.

image.png

Actions
Definition: Operations defined by services that can be performed on resources.
Examples: Viewing, creating, editing, deleting.
Permission Requirements:
Policy Inclusion: Necessary actions must be included in a policy applied to the principal or resource.
Default Deny: Any actions not explicitly allowed are denied.

Resources
Definition: Entities within a service, such as EC2 instances, S3 buckets, IAM users, DynamoDB tables.
Service Actions: Each service defines actions that can be performed on its resources.
Approval and Execution:
AWS approves the actions in a request.
Approved actions can be performed on the related resources within the account.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.