IAM
Can federate with SAML providers auch as active directory for temporary and single sign on access.
MFA can be managed. Also IAM provides pre-built policy templates to users and groups.
Users & Groups
Groups - Assign permission policies to more than one user at a time.
Users - Best policy is to use IAM users. By default an explicit deny always overrides an allow. By default an user who has an explicit deny on all will need to have an allow policy to access something particular. Unless an allowed policy is applied, the user will not have access to anything.
Roles
Role can be created for EC2 instances or other accounts to assume some permissions. Can be temporarily granted too.
Best Practices for New Accounts
All resources in Amazon have a specific resource name. called ARN.
User can belong to multiple groups, multiple policies can be applied to a user. Now remember about the Explicit Deny :)
API Keys and Roles
EC2 instance can assume only 1 IAM role at a time. And the role can be applied only while creating the instance.
IAM Policies
We can create our own policies too. We can have policy versions too. One can also simulate policies.
IAM event logging with CloudTrail
CloudTrail service stores log into S3 bucket. We can also create SNS for each log file delivery.
One can create SNS topic. but after that one needs to create a subscription so that one can send notifications. Like one can create an Email subscription for a topic.
No comments:
Post a Comment