IAM Cheat Sheet

Overview

  • The access control / permission management service for all AWS services

Concepts

  • Root user
    • The account owner, a user with god-like (unlimited) access to all resources in this account
  • IAM user
    • A user created by root user or other users with permissions, whose access can be limited
  • Role
    • An IAM user without permanent credentials
    • To act as this user one must acquire a temporary token from IAM service, a process called “assuming a role”
    • Used mostly to grant permissions to AWS services so they can talk to each other
    • Can also be used to grant temporary access to third party entities (non-AWS users)
  • Policy
    • A set of rules that allows / denies access to certain AWS services
    • Can be attached to multiple users / roles

Assuming a Role

  • User creates a role (RoleA), select a service that can assume this role
  • User creates a resource in the service, e.g. launching an EC2 instance, a RDS cluster, etc. with RoleA as the linked role
    • The service implicitly checks whether the user has correct iam::PassRole permission
    • If the user has access, then the resource is launched with RoleA information embedded
  • When the service needs the accesses provided by RoleA, it calls sts::AssumeRole to get a temporary token and use that token to act on behalf of RoleA, thus get all accesses of RoleA

Important takeaways:

  • There is no iam::PassRole API, it is a permission / contract that all AWS services will obey
  • Any AWS resource requires a role to be attached during creation will check iam::PassRole permission of the user to see whether this user has the permission to attach a given role
  • This prevents a user to attach a role with unlimited access thus bypass its own access limitations
  • sts::AssumeRole permission is usually open so the service can assume any role it is attached