IAM

Policies inheritance

The policies can be inherited from group of policy and inline policy of individual

For applying policy into code, it is needed to include aws sdk and access token for the user
For logging in by aws cli, it is needed to use access token

Allow to manage multiple accounts
Enable to use cloud trail on all accounts
Secure Control Policies (SCP) can be applied to Organization unit or account to restrict user
The Policies will be inherited from upper level

Identity-based policies are associated with IAM identities, such as IAM users, IAM groups, or IAM roles.
They are the primary method for granting permissions to IAM users, groups, or roles within your AWS account.
Identity-based policies define what actions an identity can perform on AWS resources and under what conditions.

Resource-based policies are associated with AWS resources themselves, such as Amazon S3 buckets, AWS KMS keys, AWS Lambda functions, etc.
They allow you to define who (which IAM identities or AWS accounts) has access to the resource and what actions they can perform on it.
Resource-based policies grant permissions to other identities or accounts to access and interact with the specific resource.
These policies are created and managed within the service that owns the resource (e.g., S3, KMS, Lambda) and are attached directly to the resource itself.
Resource-based policies are a way to share access to resources with other AWS accounts or IAM entities without modifying their identity-based policies.

Microsoft Active Directory is a service that can centralize security management, create account, assign permission

Last updated 2 months ago

Was this helpful?