vuthanhdatt's Second Brain

AWS Identity and Access Management

2 min read

aws

Services that work with IAM

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html#all_svcs

An IAM user is an identity within your AWS account that has specific permissions for a single person or application. Where possible, we recommend relying on temporary credentials instead of creating IAM users who have long-term credentials such as passwords and access keys. However, if you have specific use cases that require long-term credentials with IAM users, we recommend that you rotate access keys. For more information, see Rotate access keys regularly for use cases that require long-term credentials in the IAM User Guide.

An IAM group is an identity that specifies a collection of IAM users. You can’t sign in as a group. You can use groups to specify permissions for multiple users at a time. Groups make permissions easier to manage for large sets of users. For example, you could have a group named IAMAdmins and give that group permissions to administer IAM resources.

Users are different from roles. A user is uniquely associated with one person or application, but a role is intended to be assumable by anyone who needs it. Users have permanent long-term credentials, but roles provide temporary credentials. To learn more, see Use cases for IAM users in the IAM User Guide.

Amazon Resource Names(ARN)

  • Amazon Resource Names (ARNs) uniquely identify AWS resources.

IAM ARNs

Most resources have a friendly name for example, a user named Bob or a user group named Developers. However, the permissions policy language requires you to specify the resource or resources using the following Amazon Resource Name (ARN) format. arn:`partition`:`service`:`region`:`account`:`resource` Where:

  • partition identifies the partition for the resource. For standard AWS Regions, the partition is aws. If you have resources in other partitions, the partition is aws-`partitionname`. For example, the partition for resources in the China (Beijing) Region is aws-cn. You cannot delegate access between accounts in different partitions.
  • service identifies the AWS product. IAM resources always use iam.
  • region identifies the Region of the resource. For IAM resources, this is always kept blank.
  • account specifies the AWS account ID with no hyphens.
  • resource identifies the specific resource by name.

Example: when execute aws iam list-roles which list all roles of current user, it will appear arn like "Arn": "arn:aws:iam::761018890440:role/service-role/AWSGlueServiceRole"here role/service-role/AWSGlueServiceRole is the resource this arn point to. while when execute aws iam list-users it will appear arn like "Arn": "arn:aws:iam::761018890440:user/datvt" here user/datvt is the resource this arn poin to.

Graph View