"๐๐ฉ๐ช๐ค๐ฉ ๐๐๐ ๐๐ฆ๐ณ๐ท๐ช๐ค๐ฆ๐ด ๐ฅ๐ฐ๐ฆ๐ด ๐บ๐ฐ๐ถ๐ณ ๐ข๐ฑ๐ฑ๐ญ๐ช๐ค๐ข๐ต๐ช๐ฐ๐ฏ ๐ถ๐ด๐ฆ?"
Nobody ever includes ๐๐ช๐ฆ ๐๐๐ in their answer, even though it's ๐ผ๐ป๐ฒ ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ for ๐ฎ๐น๐น ๐ฎ๐ฝ๐ฝ๐ ๐
A collection of ๐ฏ๐ฒ๐๐ ๐ฝ๐ฟ๐ฎ๐ฐ๐๐ถ๐ฐ๐ฒ๐ ๐งต โ
Nobody ever includes ๐๐ช๐ฆ ๐๐๐ in their answer, even though it's ๐ผ๐ป๐ฒ ๐ฐ๐ฟ๐ถ๐๐ถ๐ฐ๐ฎ๐น ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ for ๐ฎ๐น๐น ๐ฎ๐ฝ๐ฝ๐ ๐
A collection of ๐ฏ๐ฒ๐๐ ๐ฝ๐ฟ๐ฎ๐ฐ๐๐ถ๐ฐ๐ฒ๐ ๐งต โ
๐๐ผ๐ฐ๐ธ ๐ฎ๐๐ฎ๐ ๐๐ผ๐๐ฟ ๐ฟ๐ผ๐ผ๐ ๐๐๐ฒ๐ฟ
Your root user has full access to your account (and organization) & controls billing.
Don't use it for daily tasks.
This means. your first tasks are:
โข create a dedicated IAM user
โข delete any credential pairs of the root user
Your root user has full access to your account (and organization) & controls billing.
Don't use it for daily tasks.
This means. your first tasks are:
โข create a dedicated IAM user
โข delete any credential pairs of the root user
๐๐ป๐ฎ๐ฏ๐น๐ฒ & ๐๐ป๐ณ๐ผ๐ฟ๐ฐ๐ฒ ๐ ๐๐น๐๐ถ-๐๐ฎ๐ฐ๐๐ผ๐ฟ ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป
AWS offers MFA for IAM users and your root user as well.
It supports virtual & hardware tokens.
Bonus: create a policy that restricts access to all resources if MFA authentication is missing.
AWS offers MFA for IAM users and your root user as well.
It supports virtual & hardware tokens.
Bonus: create a policy that restricts access to all resources if MFA authentication is missing.
๐ ๐ฎ๐ธ๐ฒ ๐๐๐ฒ ๐ผ๐ณ ๐๐๐ ๐๐ฟ๐ผ๐๐ฝ๐ ๐ฅ
Don't directly assign permissions to IAM users, but create groups with dedicated permissions.
The management will be easier as everything is streamlined and you can move users between & or remove them from groups.
Don't directly assign permissions to IAM users, but create groups with dedicated permissions.
The management will be easier as everything is streamlined and you can move users between & or remove them from groups.
๐ฅ๐ผ๐น๐ฒ๐ ๐ฎ๐ฟ๐ฒ ๐๐ผ๐๐ฟ ๐ฏ๐ฒ๐๐ ๐ณ๐ฟ๐ถ๐ฒ๐ป๐ฑ ๐งก
Roles are very similar to users but can be assumed by multiple entities at the same time.
It enables you to grant permissions without further credentials.
e.g. a user can assume a role to grant temporary access to a resource.
Roles are very similar to users but can be assumed by multiple entities at the same time.
It enables you to grant permissions without further credentials.
e.g. a user can assume a role to grant temporary access to a resource.
๐ฅ๐ฒ๐๐ผ๐๐ฟ๐ฐ๐ฒ-๐ฏ๐ฎ๐๐ฒ๐ฑ ๐ฃ๐ผ๐น๐ถ๐ฐ๐ถ๐ฒ๐ ๐ค
Certain AWS services like S3 or SQS offer resource-based policies which give you another (additional) tool to identity-based policies to restrict access even better.
Certain AWS services like S3 or SQS offer resource-based policies which give you another (additional) tool to identity-based policies to restrict access even better.
๐ก๐ผ ๐ถ๐ป๐น๐ถ๐ป๐ฒ ๐ฝ๐ผ๐น๐ถ๐ฐ๐ถ๐ฒ๐ ๐
Inline policies allow you to embed permissions into an IAM identity, so a user, group, or role.
This can be useful for some use-cases but increase your management efforts.
Stick to simple managed policies when possible.
Inline policies allow you to embed permissions into an IAM identity, so a user, group, or role.
This can be useful for some use-cases but increase your management efforts.
Stick to simple managed policies when possible.
๐จ๐๐ฒ ๐๐ผ๐ป๐ฑ๐ถ๐๐ถ๐ผ๐ป๐ ๐ง
You can extend your policies with one or more conditions that determine under which circumstances the policy should apply.
e.g. you can create a condition that lets an IAM user manage their home directory in an Amazon S3 bucket
You can extend your policies with one or more conditions that determine under which circumstances the policy should apply.
e.g. you can create a condition that lets an IAM user manage their home directory in an Amazon S3 bucket
Aim for ๐๐ฒ๐ฎ๐๐ ๐ฃ๐ฟ๐ถ๐๐ถ๐น๐ฒ๐ด๐ฒ ๐
It's easy to spike things by using a wildcard for actions & resources.
But spikes often end up in production quickly - with a missed refactoring for IAM.
Always try to aim for policies that are on-point, only granting needed permissions
It's easy to spike things by using a wildcard for actions & resources.
But spikes often end up in production quickly - with a missed refactoring for IAM.
Always try to aim for policies that are on-point, only granting needed permissions
Bookmark ๐๐ช๐ฆ ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐๐๐๐ต๐ผ๐ฟ๐ถ๐๐ฎ๐๐ถ๐ผ๐ป ๐ฅ๐ฒ๐ณ๐ฒ๐ฟ๐ฒ๐ป๐ฐ๐ฒ ๐
You'll unavoidably fight with ๐๐ฐ๐ฐ๐ฒ๐๐ ๐๐ฒ๐ป๐ถ๐ฒ๐ฑ messages from time to time
The docs for Actions, resources, and condition keys for all AWS services are here to help
docs.aws.amazon.com
You'll unavoidably fight with ๐๐ฐ๐ฐ๐ฒ๐๐ ๐๐ฒ๐ป๐ถ๐ฒ๐ฑ messages from time to time
The docs for Actions, resources, and condition keys for all AWS services are here to help
docs.aws.amazon.com
The obvious: use ๐๐ป๐ณ๐ฟ๐ฎ๐๐๐ฟ๐๐ฐ๐๐๐ฟ๐ฒ ๐ฎ๐ ๐๐ผ๐ฑ๐ฒ ๐
The AWS console is fine for testing out things.
For everything else: use an IaC tool of your choice to avoid typos & make your configuration reliable and reproducible.
My favorites: CDK, Serverless & Terraform
The AWS console is fine for testing out things.
For everything else: use an IaC tool of your choice to avoid typos & make your configuration reliable and reproducible.
My favorites: CDK, Serverless & Terraform
Loading suggestions...