IAM

• IAM Roles

  • Using IAM Role for EC2, ASG is more secure than providing access via IAM user

  • ECS tasks can also be assigned with IAM ROLES just like IAM Role or EC2 instances

  • Want EC2 instance to access other AWS services (Example S3) use IAM ROLE

  • Cross Account access:

    • your developers/Ops want to access particular resources in 2 or more different (PROD , TEST) AWS accounts

    • temporary access to resources in a second account (use with STS)

  • custom identity broker

    • if your On-Prem LDAP is not compatible with SAML, and you want users to use LDAP to authenticate to AWS use custom identity brokers

  • You cannot attach IAM Role to On-Prem Instances , use IAM credentials

• IAM Best Practices

  • Lock away your AWS account root user access keys

  • Create individual IAM users

  • Enable MFA

  • Use user groups

  • Grant least privilege

  • Use roles for applications that run on Amazon EC2 instances

  • Use roles to delegate permissions

https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html