Overview of access management: Permissions and policies
Policies & Accounts
If a single account is managed in AWS, then, the permissions can be easily defined via policies, whereas, it's very difficult to manage permissions for multiple accounts and might require IAM roles, resource-based policies, or Access Control Lists (ACLs) to manage the cross-account permissions. However, it's recommended to allow the use of AWS organizations service to manage the multiple accounts' permissions.
Policies & Users
IAM users are actually the identities in the service and once created, they can't access anything until they are given permissions to do that via a created identity-based policy attached with the user or a group to which the user belongs. Hence, the actions or resources that are not permitted are denied by default.
Policies & Groups
Another way is to organize the IAM users into IAM groups and then attach a policy to it, which will allow the individual users to have their own credentials as well as all the permissions attached to that group. You can also attach multiple policies with different permissions to a group that can calculated according to the combination of policies. However, the initial rule of granting permissions for an action stays same.
Federated Users & Roles
As federated users doesn't have the benefits of permanent identities like an IAM user, an entity should be created to assign permissions to them which can be termed as role and capable of defining the permissions for that role. Hence, a federated user is linked with the role and will get the permissions that are defined to the role.
Identity-based & Resource-based Policies
As the name suggests, identity-based polices are the permission policies attached to an IAM identity, like, an IAM user, group, or role, and controls the actions, resources, and conditions in which the identity can perform whereas, the resource-based policies are the permission policies attached to a resource, like, an Amazon S3 bucket or an IAM trust policy, and controls a specified principal's actions that can be performed on a particular resource under certain conditions.
However, the IAM services supports only role trust policy which is a type of resource-based policy attached to an IAM role, hence, identity-based policy and trust policy both should be attached to an IAM role (it's both the identity & resource that supports resource-based policies).
Comments
Post a Comment