IAM

IAM : User & Groups

• Identity and Access Management, Global service
• Root account created by default, shouldn't be used or shared
• Users ara peole within your organization,an ca be grouped
• Groups only contain users, not other groups
• Users don't have to belong to a group, and user can belong to multiple groups

IAM : Permissions

• User or Groups can be assigned JSON documents called policies
• Thes policies define the permissions of the users
• IN AWS you apply the least privilege principle
• dont' give more permmisions than a user needs

그룹 실습 블로그 참조

https://nulls.co.kr/AWS/318

[10장] 5. 실습: IAM User 및 Group 생성

IAM Pllicies inheritance

https://dotnettutorials.net/lesson/iam-policies-in-aws/

https://dotnettutorials.net/lesson/iam-policies-in-aws/

• Consists of
  • Version : policy language version
  • Id : an identifier for the policy (optional)
  • statement : one or more individual statements (required)
• Statemnts consists of
  • Sid : an identifier for the statement (optional)
  • Effect : allow, deny
  • Principal account/user/role to which this policy applied 
  • Action : list of actions this policy allows or denies
  • Condition : conditions for when this policy is in effect (optional)

IAM - Password Policy

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

Setting an account password policy for IAM users - AWS Identity and Access Management

users access AWS

• AWS Management Console (MFA + password)
• AWS Command Line Interface (CLI)
• AWS Software Developer kit (SDK)
• A user owns one access keys

Access Key ID ~= username
Secret Access Key ~= password

access key  생성 권한

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:GetUser",
                "iam:ListAccessKeys",
                "iam:TagUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

 

https://docs.aws.amazon.com/ko_kr/IAM/latest/UserGuide/id_credentials_access-keys.html

IAM 사용자의 액세스 키 관리 - AWS Identity and Access Management

 

AWS CLI 설정

윈도우

 

https://docs.aws.amazon.com/ko_kr/cli/latest/userguide/getting-started-install.html

최신 버전의 AWS CLI 설치 또는 업데이트 - AWS Command Line Interface

AWS Management Console(CloudShell)

• 미국 동부(오하이오)
• 미국 동부(버지니아 북부)
• 미국 서부(캘리포니아 북부)
• 미국 서부(오레곤)
• 아시아 태평양(뭄바이)
• 아시아 태평양(오사카)
• 아시아 태평양(서울)
• 아시아 태평양(시드니)
• 아시아 태평양(싱가포르)
• 아시아 태평양(도쿄)
• 캐나다(중부)
• 유럽(프랑크푸르트)
• 유럽(아일랜드)
• Europe (London)
• Europe (Paris)
• 유럽(스톡홀름)
• 남아메리카(상파울루)

따로 가격이 안나가지만 사용하는 리소스와 네트워크 비용은 청구된다.

 

https://docs.aws.amazon.com/ko_kr/cloudshell/latest/userguide/supported-aws-regions.html

지원되는 AWS 지역 AWS CloudShell - AWS CloudShell

https://docs.aws.amazon.com/ko_kr/cloudshell/latest/userguide/shell-pricing.html

AWS CloudShell 요금 - AWS CloudShell

IAM Roles for Services

• Some AWS service will need to perform actions on your behalf
• To do so, we will assign permisiions to AWS services with IAM ROLES

https://aws.amazon.com/ko/iam/features/manage-roles/

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

IAM roles - AWS Identity and Access Management

https://whchoi98.gitbook.io/aws-iam/iam-role

IAM 역할(Role)과 Switch - AWS IAM

IAM Security Tools

• IAM Credentials Report - 유저 자격 상태와 계정 리스트(account-level)
• IAM Access Advisor - 어떤 서비스를 사용했는지 볼 수 있음(user-level)

정책 역할 차이

https://www.inflearn.com/questions/868627/iam-%EC%A0%95%EC%B1%85%EA%B3%BC-iam%EC%97%AD%ED%95%A0

키워드 : 일시적, 임시, 신뢰할 수 있는 , 하나의 역할을 다수의 사용자 및 서비스에 부여(역할)

키워드 : 영구적, 하나의 그룹, 사용자에게 부여(사용자, 그룹)