AWS IAM & Billing

This is part of a blog series giving a high level overview of the different services examined on the AWS Solution Architect Associate exam, to view the whole series click here.

IAM Summary

AWS Identity and Access Management (IAM) allows users/organisations to manage resources securely and set users access level.

IAM Logo

Key Features of IAM

• IAM is global (so region isn’t a factor)
• Gives you centralised control over your AWS account
• Granular Permissions (can set different permissions for different people/ different resources)
• Can enable identity federation
• Allows you to set up custom password policies (including rotation policies)
• New users have no permissions when first created
• Roles are more secure than sharing access and secret keys

IAM Terminology

Users → Individual users, e.g. employees

Groups → A collection of users. Groups allow you to define permissions for all the users within it.

Policies → Determine what a user, group or role can or cannot do. Policy Documents are in JSON format.

Roles → Allows one service to access another service.

ARN → Amazon Resource Name, uniquely identifies any resource in AWS

Root Account → Is the main account you first signed up to AWS with (You should put MFA onto your root account)

Power user access → Access to all AWS services except the management of groups and users within IAM

Billing Alerts → Amount that you set (e.g. $10) will be your budget and then it will send you an alert as soon as your AWS bill goes over that.

AWS Budgets → Lets you quickly create custom budgets that will automatically alert you when your cost exceeds entered amount.

AWS Resource Access Manager (RAM) → Allows resource sharing between accounts

AWS SSO (Single Sign On) → Centrally manage access to AWS accounts & sign into 3rd party tools in the AWS portal.

IAM Policy

• Permissions defined in a JSON document associated with an identity or resource
• Each statement matches an AWS API request
• Anything that is not explicitly allowed is implicitly denied
• If resource has multiple policies — AWS joins them
• Can have allow and deny statements

Permission Boundaries

• Used to delegate administration to other users
• Used to prevent privilege escalation or broad permissions
• Controls maximum permissions that an identity-based policy can grant to an IAM entity.

AWS Organisations

Management service that allows you to mange your AWS resources centrally. Enables you to consolidate multiple AWS accounts and allows you to simplify billing, by having one source for payment methods — this may also allow you to get discount pricing for volume.