Please enable JavaScript.
Coggle requires JavaScript to display documents.
IDENTITY AND ACCESS MANAGEMENT - Coggle Diagram
IDENTITY AND ACCESS
MANAGEMENT
COMPONENTS
Users
Groups
IAM Policy
Roles
MFA
Identity Federation
API Keys
USER ACCOUNT
IAM User or service
assigned to individual
assigned
access key id
secret access key
password
default user can access nothing
root user most privileged
Best practice
do not use root user
create a IAM user and assign permissions
Add multi-factor auth
5000 users
has ARN which identifies
user across AWS
Enforce password policy
IAM GROUP
collections of users
group is not an identity
assign permissions to users
least privilege
not nested
ROLE
Assumed by trusted
entities and can be
used for delegation
delegate permission to
users and services with
out creds
IAM users or AWS can assume a role
to obtain temp security creds to use
for API calls.
IAM POLICY
Permissions for user,
groups and roles
JSON docs
all permission denied
by default
most restrictive by default
Test and validate in
policy simulator
Condition element
for logic
AUTHENTICATION
METHODS
Access Key
Access key id
Secret access key
modify, view and rotate
User can can
change through IAM policy
access key can be
disabled
User account to log on
Can allow users to change pwd
Allow selected IAM users
to change the pwd
disable all
enable some IAM
sigining cert
SSL or TLS
Cert Manager
Must support HTTPS
in a region not supported by ACM
BEST PRACTICES
Lock way root user creds
create individual user accounts
Use AWS defined policies
Use groups to assign permissions to IAM users
Grant least privilege
Use access level to review IAM
Strong PWD policy
MFA for all privileged users
Roles for apps on AWS EC2 instances
Delegate roles instead of sharing creds
rotate regularly
Remove unnecessary creds
Use conditions for security
Monitor activity
TOKEN SERVICE
Temp creds
global service
All regions enabled by default