25. Access Control Methods - RBAC & ABAC
Users are assigned permissions through policies attached to groups. There are AWS managed policies for job functions designed to closely align to common job functions in the IT industry.
Groups are organized by job function.
Best practice is to grant the minimum premissions permissions required to perform the job(principal of least privilege). Attribute-Based Access Control (ABAC) can be based on "Tag Key" Department, "Tag Value" DBAdmins. Tags can be applied to people and resources, so the policy can check for both.
26. Permissions Boundaries
A permission boundary policy can limit the permissions that are otherwise granted via groups, roles or directly.
27. IAM Policy Evaluation
Evaluation logic starts with 'Deny'. There is a [https://docs.aws.amazon.com/images/IAM/latest/UserGuide/images/PolicyEvaluationHorizontal111621.png flow diagram] at the [https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html AWS IAM UserGuide policies evaluation logic docs]
28. IAM Policy Structure
36. AWS IAM Best Practices
[[Category:AWS]]