AWS Identity and Access Management(IAM) Simplified
Managing sub-user in AWS simplified
IAM Identity Center VS IAM
IAM Identity Center
AWS IAM Identity Center is that the latter manages access for all AWS accounts within an AWS Organization, as well as access to other cloud applications (jumpcloud)
- an organisational tool for managing Identity
- provide a universal login
Identity and Access Management
manage access to AWS services and resources within an AWS account
- the AWS way of handling account access
- provide an AWS login
- API access
Security best practices in IAM - AWS Identity and Access Management
Follow these best practices for using AWS Identity and Access Management (IAM) to help secure your AWS account and resources.
Enable IAM Identity Center
- Dashboard->Settings summary (on the right)
- set an Instance name
- custom AWS access portal URL
- IAM Center is region-related
Add a Group
- Groups
- for grouping sub-users
- connect with a permission set
Add a User
- Users
- can stand alone and connect with a permission set
- but better managed in groups
Customise a Permission Sets
- Permission sets
- a permission set is for restricting what a sub-user can perform
Assign the Group to the AWS Account
- AWS accounts
- assign the group to the AWS Account and with permission set to restrict its behaviour
Issues
- unable to grand Cost and Usage access
- Login Root Account
- Profile -> Account
- scroll down to the Section after AWS Regions - IAM user and role access to Billing information
- toggle Activate IAM Access
IAM
If you need API access to use the SDK of cli, use IAM instead of the IAM Identity Center.
CloudTrail
- Event history
- Visualised user activity