IAM

IAM is the part of AWS that controls who can do what. Every API call, every console click, and every request a service makes is checked against IAM before it is allowed to proceed. The 4 building blocks IAM is built from four pieces. Understanding what each one is for makes the rest of the service easy to reason about. Block What it is Used for User Long-lived credentials Humans Group A bundle of users Sharing permissions Role A temporary, assumed identity Services, federated users, cross-account access Policy JSON rules Attached to a user, group, role, or resource Mental model Principal (user/role) ──has──> Policy ──grants──> Permissions on resources It helps to keep these one-line definitions in mind:...