Skip to main content

IAM Exam Notes

IAM Policies

  • Definition: JSON documents that define permissions for making requests to AWS services.
  • Components:
    • Version: Policy language version.
    • Id: Identifier for the policy (optional).
    • Statement: One or more individual statements (required).
      • Sid: Identifier for the statement (optional).
      • Effect: Specifies whether the statement allows or denies access.
      • Principal: Account, user, or role to which the policy applies.
      • Action: List of actions that are allowed or denied.
      • Resource: List of resources to which the actions apply.
      • Condition: Conditions for when the policy is in effect (optional).

IAM Policy Examples

1. Allow Users to View Their Own Permissions

This policy permits IAM users to view the inline and managed policies attached to their own user identity:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        }
    ]
}

2. Deny Access to a Specific S3 Bucket

This policy grants full access to all S3 buckets except the "customer" bucket, to which it explicitly denies access:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "FullAccess",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": "*"
        },
        {
            "Sid": "DenyCustomerBucket",
            "Effect": "Deny",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::customer",
                "arn:aws:s3:::customer/*"
            ]
        }
    ]
}

IAM Roles

  • Definition: An AWS identity with specific permissions that determine what the identity can and cannot do in AWS.
  • Use Case: Enables applications running on AWS services (like EC2) to interact with other AWS services without using permanent credentials.

IAM Guidelines & Best Practices

  • Root Account Usage: Avoid using the root account for daily tasks; reserve it for account setup and emergencies.
  • One User, One AWS User: Assign individual IAM users to each physical user.
  • Groups for Permissions: Assign users to groups and manage permissions at the group level.
  • Strong Password Policy: Enforce a robust password policy for all IAM users.
  • Multi-Factor Authentication (MFA): Use and enforce MFA for enhanced security.
  • Roles for AWS Services: Create and use roles to grant permissions to AWS services, avoiding the use of permanent credentials.
  • Access Keys for Programmatic Access: Use access keys for CLI or SDK access, and rotate them regularly.
  • Regular Audits: Audit permissions using IAM Credentials Report and IAM Access Advisor to ensure adherence to the principle of least privilege.

These notes encapsulate the key aspects of IAM essential for exam preparation.