Difference between revisions of "AWS Solutions Architect/training/Section 3: Identity Management and Permissions"
Line 17: | Line 17: | ||
25. Access Control Methods - RBAC & ABAC | 25. Access Control Methods - RBAC & ABAC | ||
− | Users are assigned permissions through policies attached to groups. | + | Users are assigned permissions through policies attached to groups. There are AWS managed policies for job functions designed to closely align to common job functions in the IT industry. |
Groups are organized by job function. | Groups are organized by job function. | ||
− | Best practice is to grant the minimum | + | Best practice is to grant the minimum permissions required to perform the job (principal of least privilege). |
+ | |||
+ | Attribute-Based Access Control (ABAC) can be based on "Tag Key" Department, "Tag Value" DBAdmins. Tags can be applied to people and resources, so the policy can check for both. | ||
26. Permissions Boundaries | 26. Permissions Boundaries | ||
+ | |||
+ | A permission boundary policy can limit the permissions that are otherwise granted via groups, roles or directly. | ||
27. IAM Policy Evaluation | 27. IAM Policy Evaluation | ||
+ | |||
+ | Evaluation logic starts with 'Deny'. There is a [https://docs.aws.amazon.com/images/IAM/latest/UserGuide/images/PolicyEvaluationHorizontal111621.png flow diagram] at the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html AWS IAM UserGuide policies evaluation logic docs] | ||
28. IAM Policy Structure | 28. IAM Policy Structure | ||
Line 44: | Line 50: | ||
36. AWS IAM Best Practices | 36. AWS IAM Best Practices | ||
+ | |||
[[Category:AWS]] | [[Category:AWS]] |
Revision as of 19:22, 7 February 2024
17. Introduction
18. How IAM Works
19. Overview of Users, Groups, Roles and Policies
20. IAM Authentication Methods
21. AWS Security Token Service (STS)
22. Multi-Factor Authentication (MFA)
23. [HOL] Setup Multi-Factor Authentication (MFA)
24. Identity-Based Policies and Resource-Based Policies
25. Access Control Methods - RBAC & ABAC
Users are assigned permissions through policies attached to groups. There are AWS managed policies for job functions designed to closely align to common job functions in the IT industry.
Groups are organized by job function.
Best practice is to grant the minimum permissions required to perform the job (principal of least privilege).
Attribute-Based Access Control (ABAC) can be based on "Tag Key" Department, "Tag Value" DBAdmins. Tags can be applied to people and resources, so the policy can check for both.
26. Permissions Boundaries
A permission boundary policy can limit the permissions that are otherwise granted via groups, roles or directly.
27. IAM Policy Evaluation
Evaluation logic starts with 'Deny'. There is a flow diagram at the AWS IAM UserGuide policies evaluation logic docs
28. IAM Policy Structure
29. [HOL] Using Role-Based Access Control (RBAC)
30. [HOL] Using Attribute-Based Access Control (ABAC)
31. [HOL] Apply Permissions Boundary
32. Use Cases for IAM Roles
33. [HOL] Cross-Account Access to S3
34. Access Keys and IAM Roles with EC2
35. [HOL] Amazon EC2 Instance Profile
36. AWS IAM Best Practices