# IAM ## Policies inheritance ![](https://1374779285-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFW3x2aqEO8GF2kr3VU%2Fuploads%2FQKnhjx3Xq0em7ETL04uj%2Fimage.png?alt=media\&token=61c5c3b4-fe44-4033-b10f-1ebc44fecab8) * The policies can be inherited from group of policy and inline policy of individual ## Policy Structure ![](https://1374779285-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFW3x2aqEO8GF2kr3VU%2Fuploads%2FkrahGrIvPMhxnfPj2IAn%2Fimage.png?alt=media\&token=0c73f25b-6af5-4416-a552-05e87f23c312) * Effect: Allow or Deny * Principal: The target user * Resource: The permission of resource ## Access Token * For applying policy into code, it is needed to include aws sdk and access token for the user * For logging in by aws cli, it is needed to use access token ## Organization ![](https://1374779285-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFW3x2aqEO8GF2kr3VU%2Fuploads%2FiNeUcjpkDwaa7YkX3JCX%2Fscreenshot-www.udemy.com-2023.09.01-19_36_10.png?alt=media\&token=7cec7701-b619-4033-b269-c96da40f4c25) * Allow to manage multiple accounts * Enable to use cloud trail on all accounts * Secure Control Policies (SCP) can be applied to Organization unit or account to restrict user * The Policies will be inherited from upper level ## Identity-Based Vs Resource-Based Policies ### Identity-based * Identity-based policies are associated with IAM identities, such as IAM users, IAM groups, or IAM roles. * They are the primary method for granting permissions to IAM users, groups, or roles within your AWS account. * Identity-based policies define what actions an identity can perform on AWS resources and under what conditions. ### Resource-based * Resource-based policies are associated with AWS resources themselves, such as Amazon S3 buckets, AWS KMS keys, AWS Lambda functions, etc. * They allow you to define who (which IAM identities or AWS accounts) has access to the resource and what actions they can perform on it. * Resource-based policies grant permissions to other identities or accounts to access and interact with the specific resource. * These policies are created and managed within the service that owns the resource (e.g., S3, KMS, Lambda) and are attached directly to the resource itself. * Resource-based policies are a way to share access to resources with other AWS accounts or IAM entities without modifying their identity-based policies. ## Identity Center ![](https://1374779285-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFW3x2aqEO8GF2kr3VU%2Fuploads%2FOxP4m2axJ9nhuBNoYvlC%2Fscreenshot-www.udemy.com-2023.09.01-19_48_27.png?alt=media\&token=374b3e99-6f78-40a2-b777-8b9833d68e59) ![](https://1374779285-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFW3x2aqEO8GF2kr3VU%2Fuploads%2Fc7Wr8bhr87i0qXOL4BOP%2Fscreenshot-www.udemy.com-2023.09.01-19_50_34.png?alt=media\&token=2361716d-4c96-4de2-b5f1-45c75a2d397e) * One login for all accounts * Assign permission sets to the users to have a role / permission to the accounts ## Directory Service ![](https://1374779285-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFW3x2aqEO8GF2kr3VU%2Fuploads%2FIDQh2yQh18NTAzlAKjHU%2Fscreenshot-www.udemy.com-2023.09.01-20_01_49.png?alt=media\&token=03b7d4a1-122a-40a5-ba67-0da5609dc571) * Microsoft Active Directory is a service that can centralize security management, create account, assign permission ## Control Tower ![](https://1374779285-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFW3x2aqEO8GF2kr3VU%2Fuploads%2FVSNdxmfSjnRrAgvac1qZ%2Fscreenshot-www.udemy.com-2023.09.01-20_04_48.png?alt=media\&token=76140357-066d-469d-a95b-3c9fd54d0c97) * Easy way to setup a secure and compliant multi-account AWS environment * user AWS Organization to create accounts ## ##