1. IAM Roles for Services
- To do so, we will assign permissions to AWS services with IAM Roles
- is not for users(person)
- combine with service/Instance, enable for EC2 Instance(virtual server) to access AWS
- Common roles : EC2 Instance Roles, Lambda Function Roles, Roles for Cloud Formation
โญ Role ์ ์ญํ ์ AWS Entity์๊ฒ AWS ์์ ์์ ์ ์ํํ ์ ์๋ ๊ถํ์ ๋ถ์ฌํ๋ ๊ฒ
โญ Users(์ฌ๋)์๊ฒ ๋ถ์ฌํ๋ ๊ฒ์ด ์๋
2. How to Create Roles
IAM Management dashboard > Access management > Roles > Create Role
์๋ง์กด EC2๋ฅผ ์ํ Role ์์ฑํ๊ณ Policy ๊น์ง ์ฐ๊ฒฐํด์ฃผ๋ฉด ์๋ฃ
Step1_ Select trusted entity
Select trusted entity - ๊ฐ์ฒด ์ ํ
Use case or Service - ๊ท์น์ ์ ์ฉํ ์๋น์ค(์-EC2)
Step2_ Add permissions
์ด์ EC2 Service์ ๋ํด Role์ ์์ฑํด์คฌ์ผ๋ฏ๋ก ์ ์ฑ (policy)๋ฅผ ์ฐ๊ฒฐํด ์ฃผ์ด์ผ ํจ.
์) IAMReadOnlyAccess
Step3_Name, review, and create
3. IAM Security Tools
IAM Credentials Report (account-level)
- ๊ณ์ ์์ค์์ ๊ฐ๋ฅ
- ๊ณ์ ์ ์๋ ์ฌ์ฉ์๋ค๊ณผ ์๊ฒฉ์ฆ๋ช ์ํ ํ์ธ์์ผ์ค
IAM Access Advisor (user-leve)
- ์ฌ์ฉ์ ์์ค์์ ๊ฐ๋ฅ
- ์ฌ์ฉ์์๊ฒ ์ฃผ์ด์ง ๊ถํ๊ณผ ๋ง์ง๋ง์ผ๋ก ์ก์ธ์คํ ์๊ฐ์ด ๋ณด์ฌ์ค
- ์ด ๋๊ตฌ๋ก ์ด๋ค ๊ถํ์ด ์ฌ์ฉ๋์ง ์๋์ง ๋ณผ ์ ์์
- ๊ทธ๋์ ์ต์ํ์ ๊ถํ๋ง์ ๋ถ์ฌํด์ค ์ ์์
4. How to Create Credentials report
IAM Management Dashboard > Access reports > Credential report > Download credential report > csv file >
csv file ์๋ root account ์ IAM account ๊ฐ ํฌํจ๋จ
- ์ฌ์ฉ์ ์์ฑ ์๊ธฐ, ๋น๋ฐ๋ฒํธ ํ์ฑํ ๋์๋์ง, ๋น๋ฐ๋ฒํธ๊ฐ ๋ง์ง๋ง์ผ๋ก ๋ณ๊ฒฝ๋ ์๊ธฐ, ๋ง์ง๋ง์ผ๋ก ์ฌ์ฉ๋ ์๊ธฐ, ๋ค์ ๊ต์ฒด๊ฐ ์ธ์ ์์๋๋์ง, MFA๊ฐ ํ์ฑํ ๋์ด ์๋์ง, ์ก์ธ์ค ํค๊ฐ ์์ฑ๋์ด ์๋์ง, ์ก์ธ์คํค ๋ง์ง๋ง ๊ต์ฒด์๊ธฐ, ์ก์ธ์คํค ๋ง์ง๋ง ์ฌ์ฉ์ํค, ๋ค๋ฅธ ์ก์ธ์ค ํค๋ ์ธ์ฆ๋ฒํธ ์ฌ์ฉ ์ํ ๋ฑ์ ๋ณด์ฌ์ค
- ๋น๋ฐ๋ฒํธ๋ ๊ณ์ ์ ์ฌ์ฉํ์ง ์๋ ์ฌ์ฉ์๋ค์ ํ์ธํ ๋ ๋งค์ฐ ์ ์ฉํจ
5. IAM ACcess Advisor
IAM Management Dashboard > Users > click your IAM Account Name > Access Advisor ๋๋ Last Accessed >
Shows accessed service, policies granting permissions, last acceessed time
- ์ฌ์ฉ์๊ฐ ์ฌ๋ฐ๋ฅธ ๊ถํ์ ๊ฐ์ง๊ณ ์๋์ง ์ฌ๋ถ๋ฅผ ์ค์ ๋ก ํ์ธํ ๋ ์ ์ฉํจ
- ์ฆ ์ก์ธ์ค ๊ด๋ฆฌ์๋ AWS์์ ์ธ๋ถ์ ์ธ ์ฌ์ฉ์ ์ก์ธ์ค ๊ถํ์ ์ํํด์ผ ํ ๋ ๋งค์ฐ ์ ์ฉํจ
6. IAM Guidelines
- Don't use the root acccount except AWS account setup
- One physical user = One AWS user
- Assign users to groups and assign permissions to groups
- Create a strong password policy
- Use and enforce the use of MFA
- Create and use Roles for giving permissions to AWS services
- Use Access Keys for Programmatic Access - CLI/SDK
- Audit permissions of your account using IAM Credentials Report & IAM Access Advisor
7. IAM Section - Summary
- Users: physical user, has a password for AWS Console
- Groups: contains users only
- Policies: JSON document that outlines permissions for users or groups
- Roles: for EC2 instance or AWS Services
- Security: MFA(Multi Factor Authentication) or Password Policy
- AWS CLI: manage your AWS services using the command-line(=> cloudshell)
- AWS SDK: manage your AWS servicies using a programming language
- Access Keys: access AWS using the CLI or SDK
- Audit: IAM Credential Reports & IAM Access Advisor
Easy way to understand AWS IAM permissions and policy
AWS IAM permissions and policy. Easy way to understand the AWS IAM entities User, Group, Roles. How to provide permissions to AWS resources.
cloudiofy.com
Understanding AWS IAM: Your Key to Secure Cloud Management
Amazon Web Services (AWS) Identity and Access Management (IAM) acts as your personal security guard for AWS resources, ensuring only…
medium.com
'Coding > AWS' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
| [AWS] ์ค์ต6์ผ์ฐจ - AWS ์์ฐ ๊ด๋ฆฌ Billing and Cost Managetment (setting Budget) (8) | 2025.01.22 |
|---|---|
| [AWS] ์ค์ต5์ผ์ฐจ - IAM & IAM CLI ๋ฌธ์ / ์ ๋ฆฌ (20) | 2025.01.21 |
| [AWS] ์ค์ต3์ผ์ฐจ - AWS Access Key, CLI & SDK (6) | 2025.01.19 |
| [AWS] ์ค์ต2์ผ์ฐจ - IAM: JSON ๊ตฌ์กฐ & IAM MFA (๋ค์ค์ธ์ฆ) (4) | 2025.01.16 |
| [AWS] ์ค์ต1์ผ์ฐจ - IAM: Users & Groups (4) | 2025.01.15 |
