IAM Cheat Sheet

Here’s a cheat sheet for AWS Identity and Access Management (IAM):

IAM Basics

  • IAM is used to securely control access to AWS services and resources.
  • Users, Groups, and Roles are the key IAM entities.

IAM Users

  • Represent a person or service.
  • Have security credentials and can be added to Groups.

IAM Groups

  • Contain IAM users.
  • Can’t be used for authentication; they are only a way to manage policies.

IAM Roles

  • Provide temporary security credentials for services or applications.
  • Used by EC2 instances, Lambda functions, etc., to access other AWS services.

IAM Policies

  • Define permissions using JSON.
  • Attached to Users, Groups, or Roles.
  • Policies grant permissions based on actions, resources, and conditions.

IAM Permissions

  • Consist of an AWS service, action, and resource.
  • Permission example: s3:GetObject on a specific S3 bucket.

IAM Policy Elements

  • Effect: Allow or Deny.
  • Action: Specific AWS operation.
  • Resource: Specific AWS resource or wildcard.

IAM Access Key and Secret Access Key

  • Used for programmatic access (CLI, SDK).
  • Never share the secret key and rotate them regularly.

IAM MFA (Multi-Factor Authentication)

  • Adds an extra layer of security.
  • Users can sign in with a password and an authentication code from a hardware MFA device or virtual MFA device.

IAM Best Practices

  1. Use IAM Roles for granting permissions to AWS services.
  2. Apply the principle of least privilege.
  3. Regularly review and audit IAM users, groups, and roles.
  4. Enable MFA for IAM users.
  5. Rotate access keys regularly.

IAM CLI Commands

Create a new user:

aws iam create-user --user-name NewUser

Create a new group:

aws iam create-group --group-name NewGroup

Create a new role:

aws iam create-role --role-name NewRole --assume-role-policy-document file://trust-policy.json

Attach a policy to a user:

aws iam attach-user-policy --user-name UserName --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

List IAM users:

aws iam list-users

List IAM groups:

aws iam list-groups

List IAM roles:

aws iam list-roles

Remember to replace placeholders like NewUser, NewGroup, NewRole, UserName, and trust-policy.json with your specific values.

This cheat sheet covers some basic IAM concepts and commands. For more detailed information, refer to the AWS IAM Documentation.