AWS Certified Cloud Practitioner CLF-C01 IAM

IAM

Identity and Access Management. Global Service.
Root account created by default, shouldn't be used or shared.
Users are people within your organization, and can be grouped.
Groups only contain users, not other groups.
Users don't have to belong to a group, and user can belong to multiple groups.

IAM: Permissions

Users or Groups can be assigned JSON documents called policies. These policies define the permissions of the users. In AWS you apply the least privilege principle.
그룹에 속하지 않는 user는 inline policy의 정책을 따른다.

IAM Policies Structure

version : 언제 만들어졌는지
id : policy identifier. (optional)
statement :

• sid(optional)
• effect: 해당 statement를 allow 할지 deny 할지
• principal: 해당 statement가 적용되는 주체
• action : allow 또는 deny 될 list of API calls
• resource : list of resources to which the actions applied to
• condition : 언제 적용될지 (optional)

IAM Password Policy

minimum length를 설정하고, 대문자 사용 필수 등의 specific한 character types를 정하고, 비밀번호 수정 권한을주고, 일정 시간이 지나면 비밀번호를 바꿔야 하는 등의 다양한 정책을 가질 수 있다.
그외에 MFA (Multi Factor Authentication)을 두어 더 강력한 보안을 이룰 수 있다.
MFA = Password you know + security device you own (which has MFA token).

• Virtual MFA device : Google Authenticator(phone only), Authy(multi-device)...
• Universal 2nd Factor(U2F) Security Key : YubiKey by Yubico...
• Hardware Key Fob MFA Device by Gemalto
• Hardware Key Fob MFA Device for AWS GovCloud (US Only)