IAM User Groups – Security and Compliance – SOA-C02 Study Guide

IAM User Groups

You will often find that multiple IAM users have the same permissions. Instead of individually assigning each user specific permissions, you can create a user group, assign the appropriate permissions, and then assign users to the group.

When you’re creating group accounts, the Add Group Wizard prompts you to provide information about the new group account, including the following key user account attributes:

Group name: The name should indicate the primary function of the group members, such as “S3 administrators.”

Add users to the group: You can add existing users to the group or add them later.

Permissions: Permissions allow you to determine what actions the group members can take.

IAM Roles

AWS services sometimes need to access AWS resources, much like a user. But you can’t assign a user account credentials to an AWS service. Instead, you use a role, which provides temporary permissions for an entity when the entity assumes the role.

For example, an EC2 instance may need to access an S3 bucket to store information. You can create a role and then assign the role to the EC2 instance.

When you create a role, the wizard first asks what type of trusted entity the role will be applied to, as shown in Figure 9.2.

FIGURE 9.2 Selecting the type of trusted entity

Note that the trusted entity is not limited to AWS services. User accounts, including AWS accounts and accounts from other sources (Web identities or SAML accounts), can also assume an AWS role.

IAM Policies

IAM Permissions are associated with policies, and policies are applied to user accounts, group accounts, or roles. AWS provides hundreds of premade policies, but you can also create your own custom policies.

ExamAlert

You should know how to view a policy and answer questions regarding what the policy permits.

When you click the Policies link on the IAM home page, you can see a list of the premade policies. Each policy is defined as a JSON object. For example, Figure 9.3 shows the JSON object for the AmazonS3ReadOnlyAccess policy.

FIGURE 9.3 AmazonS3ReadOnlyAccess policy

There are several components in a policy that you should be aware of, including

Version: This component is the version of the policy definition, not of your specific policy. The value associated with the version (in this case, 2012-10-17) is the date of the most recent policy definition, and you should not change this value.

Statement: This component is used to define a rule. A rule is used to allow or block access to a resource or service. There can be multiple rules in a policy, so you may see multiple statements in a policy.

Action: This component describes the AWS service and level of access. For example, “S3:Get” means “get information from S3 buckets,” and “S3:List” means “list the available S3 buckets.” There are five access levels for permissions: List, Read, Permissions Management, Write, and Tagging. A value of * means “all five”: for example, “S3:*”.

Resource: This component is used to apply the rule to a specific resource—for example, arn:aws:s3:::examplebucket/test/results.doc. Wildcards can also be used here, such as arn:aws:s3:::examplebucket/*.

If you want to apply a policy to an entity, you can click the Policy Usage tab. This tab displays which entities have the policy attached and allows you to detach or attach this policy to an entity.