Become an AWS pro by understanding IAM, learning to write policies, and configuring access. Get hands-on with realistic examples, developed by AWS Solution Certified Architects. No setup, no cleanup, no hassle.

A Practical Guide to AWS IAM by Tamás Sallai_468 x 60 .png

This course is about how AWS IAM works and how to write policies to control access in an AWS account. In this course, you will learn how AWS APIs work, explore different parts of the requests made to the APIs and elaborates on how access is determined. Additionally, you will dive into how to configure access inside AWS by describing the policy structure and the 5 policy types AWS supports.

Further, you will become familiar with how the elements in the request and the policies fit together. You will also determine whether the operation is allowed or denied by demonstrating through several step-by-step realistic examples that show exactly how IAM evaluates access, thus providing templates for how to apply these protections to AWS environments.

Lastly, this course offers you some practical tips on how to secure an account both as an administrator and as a developer. It explains the best practices and the usual pitfalls of AWS security.

AWS Security Fundamentals: A Practical Guide to AWS IAM

## Resource
A resource is an AWS entity that serves as the *target* of an operation. When we delete an S3 bucket, the resource is the bucket. When a user assumes a role, the resource is the role.  Most requests have a resource.

An **Amazon Resource Name** (ARN) is a global identifier for resources inside AWS. Usually, these are what we need to input when we want to specify an entity.

An ARN is made up of several parts:
```txt
arn:partition:service:region:account-id:resource-id
```
* The `partition` is usually `aws`, the exceptions are regions in China and the US GovCloud. 
* The `service` is the AWS product, such as `s3` or `iam`. 
* The `region` specifies which region the resource is located if any. There are global resources, such as IAM users, that do not have a region.
* The `account-id` is the 12-digits account number.
* And finally, the `resource-id` is the local identifier of the resource. It can specify sub-resources too, such as the name of objects inside an S3 bucket.

For example, an `sts:AssumeRole` operation specifies the *role* to assume by its ARN: `arn:aws:iam::123456789012:role/test-role`. This resource is inside the IAM service, which is non-regional, the region is missing, in the `123456789012` account, where it's a `role` named `test-role`.

Each resource type uses a different structure and they are detailed in the [reference documentation](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) for each service.

For example, the S3 service [defines](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies) these resource types:

# Resource
A resource is an AWS entity that serves as the *target* of an operation. When we delete an S3 bucket, the resource is the bucket. When a user assumes a role, the resource is the role.  Most requests have a resource.

An **Amazon Resource Name** (ARN) is a global identifier for resources inside AWS. Usually, these are what we need to input when we want to specify an entity.

An ARN is made up of several parts:
```txt
arn:partition:service:region:account-id:resource-id
```
* The `partition` is usually `aws`, the exceptions are regions in China and the US GovCloud. 
* The `service` is the AWS product, such as `s3` or `iam`. 
* The `region` specifies which region the resource is located if any. There are global resources, such as IAM users, that do not have a region.
* The `account-id` is the 12-digits account number.
* And finally, the `resource-id` is the local identifier of the resource. It can specify sub-resources too, such as the name of objects inside an S3 bucket.

For example, an `sts:AssumeRole` operation specifies the *role* to assume by its ARN: `arn:aws:iam::123456789012:role/test-role`. This resource is inside the IAM service, which is non-regional, the region is missing, in the `123456789012` account, where it's a `role` named `test-role`.

Each resource type uses a different structure and they are detailed in the [reference documentation](https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html) for each service.

For example, the S3 service [defines](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html#amazons3-resources-for-iam-policies) these resource types:

Learn about the three other access elements and the components that constitute a request made to an AWS API.

Introduction

Access Control Basics

User Management using IAM

IAM Policies

Request Evaluation Flow and Examples

Role Management Using Identity and Access Management (IAM)

How to Secure an AWS Account

Conclusion

Appendix

Access elements: Resource, Action, and Metadata

Resource