IAM

• Explicit deny policy always overrides explicit allow

• IAM Roles

  • Using IAM Role for EC2, ASG is more secure than providing access via IAM user

  • ECS tasks can also be assigned with IAM ROLES just like IAM Role or EC2 instances

  • Want EC2 instance to access other AWS services (Example S3) use IAM ROLE

  • Sharing CloudTrail logs between AWS accounts then use IAM Roles

  • Cross Account access:

    • your developers/Ops want to access particular resources in 2 or more different (PROD, TEST) AWS accounts

    • temporary access to resources in a second account (use with STS)

  • custom identity broker

    • if your On-Prem LDAP is not compatible with SAML, and you want users to use LDAP to authenticate to AWS use custom identity brokers

  • You cannot attach IAM Role to On-Prem Instances, use IAM credentials

• External ID

  • To give a third-party access to your AWS resources (delegate access).

    • Monitor your AWS account and help optimize costs

    • Perform some analytics etc etc

• IAM Best Practices

  • Lock away your AWS account root user access keys

  • Create individual IAM users

  • Enable MFA

  • Use user groups

  • Grant least privilege

  • Use roles for applications that run on Amazon EC2 instances

  • Use roles to delegate permissions

  • https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

IAM permissions boundaries helps you to restrict AWS IAM admin access and prevent privilege escalation, or allowing them to bypass any other security rules