What does AWS use to assign permissions to groups and or users in IAM
You can use IAM roles to delegate access to your AWS resources. With IAM roles, you can establish trust relationships between your trusting account and other AWS trusted accounts. The trusting account owns the resource to be accessed and the trusted account contains the users who need access to the resource. However, it is possible for another account to own a resource in your account. For example, the trusting account might allow the trusted account to create new resources, such as creating new objects in an Amazon S3 bucket. In that case, the account that creates the resource owns the resource and controls who can access that resource. Show
After you create the trust relationship, an IAM user or an application from the trusted account can use the AWS Security Token Service (AWS STS)
The accounts can both be controlled by you, or the account with the users can be controlled by a third party. If the other account with the users is an AWS account that you do not control, then you can use the For information about how to use roles to delegate permissions, see Roles terms and concepts. For information about using a service role to allow services to access resources in your account, see Creating a role to delegate permissions to an AWS service. Creating an IAM role (console)You can use the AWS Management Console to create a role that an IAM user can assume. For example, assume that your organization has multiple AWS accounts to isolate a development environment from a production environment. For high-level information about creating a role that allows users in the development account to access resources in the production account, see Example scenario using separate development and production accounts. To create a role (console)
Creating an IAM role (AWS CLI)Creating a role from the AWS CLI involves multiple steps. When you use the console to create a role, many of the steps are done for you, but with the AWS CLI you must explicitly perform each step yourself. You must create the role and then assign a permissions policy to the role. Optionally, you can also set the permissions boundary for your role. To create a role for cross-account access (AWS CLI)
The following example shows the first two, and most common steps for creating a cross-account role in a simple environment. This example allows any user in the In this example, include the following trust policy in the first command when you create
the role. This trust policy allows users in the
If your When you use the second command, you must attach an existing managed policy to the role. The following permissions policy allows anyone who assumes the role to perform only the
To create this
Remember that this is only the first half of the configuration required. You must also give individual users in the trusted account permissions to switch to the role. For more information about this step, see Granting a user permissions to switch roles. After you create the role and grant it permissions to perform AWS tasks or access AWS resources, any users in the Creating an IAM role (AWS API)Creating a role from the AWS API involves multiple steps. When you use the console to create a role, many of the steps are done for you, but with the API you must explicitly perform each step yourself. You must create the role and then assign a permissions policy to the role. Optionally, you can also set the permissions boundary for your role. To create a role in code (AWS API)
After you create the role and grant it permissions to perform AWS tasks or access AWS resources, you must grant permissions to users in the account to allow them to assume the role. For more information about assuming a role, see Switching to an IAM role (AWS API). Creating an IAM role (AWS CloudFormation)For information about creating an IAM role in AWS CloudFormation, see the resource and property reference and examples in the AWS CloudFormation User Guide. For more information about IAM templates in AWS CloudFormation, see AWS Identity and Access Management template snippets in the AWS CloudFormation User Guide. What does AWS use to assign permissions?You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions.
How are permissions assigned to an IAM group?IAM user groups
Any user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that user group.
What can you use to assign permissions directly to an IAM user?You can change the permissions for an IAM user in your AWS account by changing its group memberships, by copying permissions from an existing user, by attaching policies directly to a user, or by setting a permissions boundary. A permissions boundary controls the maximum permissions that a user can have.
How do you assign IAM roles to users or groups?In the AWS Management Console section, under Delegate console access, choose the IAM role name for the existing IAM role that you want to assign users to. If the role has not yet been created, see Creating a new role. On the Selected role page, under Manage users and groups for this role, choose Add.
|