group
- equates to a job role
- assign policies to groups not users
IAM Access types: Programmatic Access
- creates access ID & Secret access key for AWS API, CLI, SDK and other tools
IAM Access types: AWS Mgmt Console
console
user
- 1 person
- by default a user has no permissions
Identity Providers
- IAM Federation - Identity federation using SAML
- SAML for Active Directory (Federation)
- Open ID Connect
Access Key ID and Secret Access Key
- not the same as user name and pwd
- can only view access Key ID and secret access key once - if you lose them you must regenerate a new one
Password rotations
- always want to set them up
Inline policy
a policy that is attached to a single user or group
- typically used for one-off situations
Managed policy
- can be shared by many users or groups
- when updated, all users or groups get updated automatically
Explicit Deny ***
when you explicitly change a permission in the policy from Allow to Deny
- will override any allow that is granted to a user in any other policy***
Implicit Deny
by default all permissions are implicitly denied until they are allowed in a policy (i.e. they don’t who up in the policy JSON)
Policy JSON: EAR
E - Effect
A - Action
R - Resource
