Become an AWS pro by understanding IAM, learning to write policies, and configuring access. Get hands-on with realistic examples, developed by AWS Solution Certified Architects. No setup, no cleanup, no hassle.

A Practical Guide to AWS IAM by Tamás Sallai_468 x 60 .png

This course is about how AWS IAM works and how to write policies to control access in an AWS account. In this course, you will learn how AWS APIs work, explore different parts of the requests made to the APIs and elaborates on how access is determined. Additionally, you will dive into how to configure access inside AWS by describing the policy structure and the 5 policy types AWS supports.

Further, you will become familiar with how the elements in the request and the policies fit together. You will also determine whether the operation is allowed or denied by demonstrating through several step-by-step realistic examples that show exactly how IAM evaluates access, thus providing templates for how to apply these protections to AWS environments.

Lastly, this course offers you some practical tips on how to secure an account both as an administrator and as a developer. It explains the best practices and the usual pitfalls of AWS security.

AWS Security Fundamentals: A Practical Guide to AWS IAM

# API
Application Programming Interface, a set of operations that a system makes available for other systems. AWS offers a set of APIs to allow creating and managing resources inside an account.

# ARN
Amazon Resource Name, a globally unique identifier for resources inside AWS. See more in the [Resource](https://www.educative.io/courses/aws-security-iam/access-elements-resource-action-and-metadata) lesson.

# AWS Organizations
A service that manages member accounts under a management account. It makes it easy to create isolated accounts for applications. It also allows attaching Service-control policies that are the only permission type that restricts access from outside the account. 

# Access Key ID/Secret Access Key
These values identify the principal who is making a request to an AWS API. They are used to *sign the request* made to the API. Losing these keys allows an attacker to send requests in the name of the principal. 

# Attribute-Based Access Control (ABAC)
A permission strategy where users and resources have attributes attached to them and access control is based on these values. Done right, this makes a more scalable permission strategy than RBAC.

In AWS, attributes are tags that are attached to resources and principals. IAM policies can then use them in conditions, such as the `aws:ResourceTag`, the `aws:PrincipalTag`, and other service-specific keys.

# Blast radius
The potential consequences of a security breach.

# IAM
Identity and Access Management, the AWS service that manages identities (users and roles) and permissions inside an AWS account. 

# IAM policy
A JSON document that configures access control in IAM. See more in the [IAM policies](https://www.educative.io/courses/aws-security-iam/filters-principal-resource-and-action) chapter.

# IAM role
An IAM identity that uses temporary credentials to access an AWS account. It implements process-based credentials management. See more in the *IAM roles* of the [Principal](https://www.educative.io/courses/aws-security-iam/access-elements-principal) lesson.

# IAM user
An IAM identity that can access an AWS account either via permanent credentials (Access Key ID-Secret Access Key pair) or password-based login on the Management Console. See more in the *IAM users* of the [Principal](https://www.educative.io/courses/aws-security-iam/access-elements-principal) lesson.

# Identity-based policy
An IAM policy attached to an identity (IAM users or roles). See more in the [Identity-based policies](https://www.educative.io/courses/aws-security-iam/aws-iam-policy-types-identity-based-and-resource-based) lesson.

# Least privilege
A set of permissions that allows normal operations but nothing else.

# Principal
The entity that is making a request to an AWS API. See more in the [Principal](https://www.educative.io/courses/aws-security-iam/access-elements-principal) lesson.

# Request context
The collection of information regarding the request made to an AWS API. It contains *who* is initiating the request, *what* is being done, *on what resource*, and some other metadata. See more in the [Access elements](https://www.educative.io/courses/aws-security-iam/access-elements-principal) lessons.

# Resource-based policy
An IAM policy attached to a resource. See more in the [Resource-based policies](https://www.educative.io/courses/aws-security-iam/aws-iam-policy-types-identity-based-and-resource-based) lesson.

# Role-Based Access Control (RBAC)
A permission strategy where users are organized in groups and only these groups have permissions. Individual users don't have policies attached and access control is determined only by group membership. This makes a scalable permission strategy.

In AWS, implementing Role-Based Access Control is done using IAM groups.

# Service Control Policy (SCP)
A policy type that is attached to an AWS account via Organizations. Only the management account can define SCPs and they are only effective for member accounts. See more in the [Service control policy (SCP)](https://www.educative.io/courses/aws-security-iam/aws-iam-policy-types-scp-sp-and-pb) lesson.

# Shared responsibility model
The security framework defines the responsibilities of the cloud provider and the customer, in which the provider is responsible for the security *of* the cloud, while the customer is responsible for the security *in* the cloud.

In practical terms, AWS offers a set of tools to secure our account and the resources inside it, but we are required to use them properly. According to the shared responsibility model, we can be sure that hackers cannot circumvent the security controls but we need to configure them properly.

For example, AWS makes sure that only the principals we allow via IAM policies can read an S3 bucket and there is no other way to access the contents. But you need to ensure that we don't allow public access to it.

Learn more about it in the [Introduction](https://www.educative.io/courses/aws-security-iam/aws-iam) chapter.

Learn the definitions and meanings of important terms used in the course.

Introduction

Access Control Basics

User Management using IAM

IAM Policies

Request Evaluation Flow and Examples

Role Management Using Identity and Access Management (IAM)

How to Secure an AWS Account

Conclusion

Appendix

Glossary

API

ARN

AWS Organizations

Access Key ID/Secret Access Key

Attribute-Based Access Control (ABAC)