AWS IAM
Users and Groups
- IAM: Identity and Access Management, Global service
- Root account: created by default, shouldn't be used or shared
- Users: are people within your organization and can be grouped
- users don't have to belong to a group
- users can belong to multiple groups
- Groups: only contains users, not other groups
IAM permissions
- Users and groups can be assigned JSON documents called policies
- The policies define the permissions of the users
- Least privilege principle: don't give more permissions than a user needs
IAM policy
{
"Version": "2012-10-17",
"Id": "ecs-tag-permissions",
"Statement": [
{
"Sid": "AllowECSTagResource",
"Effect": "Allow",
"Principal": {
"AWS": ["arn:aws:iam::123456789:root"]
}
"Action": [
"ecs:TagResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ecs:CreateAction": [
"CreateCluster",
"RegisterTaskDefinition"
]
}
}
}
]
}