The IAM permission model allows Role-based access control as well as Attribute-based access control so that fine-grained access can be provided.
IAM Permission
Generally, there are 2 types of permission model
1- RBAC: Role-based access control
2- ABAC: Attribute-based access control
RBAC : Role-based access control
What is AWS IAM RBAC?
AWS IAM RBAC (Role-Based Access Control) is a security feature that allows you to control who has access to your AWS resources and what they can do with them. RBAC is based on the concept of roles, which are sets of permissions that can be assigned to users, groups, or other AWS identities.
How does AWS IAM RBAC work?
When you create a role, you specify the permissions that the role will have. These permissions can be defined in a policy, which is a JSON document that lists the actions that the role is allowed to perform on AWS resources. You can attach policies to roles, users, or groups.
What are the benefits of using AWS IAM RBAC?
There are several benefits to using AWS IAM RBAC, including:
- It provides a fine-grained way to control access to your AWS resources.** You can specify exactly what actions a role is allowed to perform on a resource, which helps to prevent unauthorized access.
- It is scalable. You can easily add or remove permissions from a role, without having to change the permissions of users or groups that are assigned to the role.
- It is secure.AWS IAM RBAC uses AWS Identity and Access Management (IAM) users and groups to control access to your resources. IAM users and groups are authenticated and authorized using industry-standard methods, such as multi-factor authentication and password policies.
What are the types of IAM roles in AWS?
There are four types of IAM roles in AWS:
- Service roles are used by AWS services to access other AWS services on your behalf. For example, an Amazon S3 bucket can use a service role to access Amazon DynamoDB to store its metadata.
- Service-linked roles are a special type of service role that is automatically created and managed by AWS. Service-linked roles are used by AWS services that need to access other AWS services on your behalf, but you do not have to create or manage them yourself.
- Roles for cross-account access allow you to grant users in one AWS account access to resources in another AWS account. This is useful for scenarios where you need to share resources between accounts, such as a development account and a production account.
- Roles for identity provider access allow you to grant users in an identity provider (IdP) access to AWS resources. This is useful for scenarios where you want to use an IdP, such as Okta or OneLogin, to manage user identities.
ABAC : Attribute-based access control
What is AWS IAM ABAC?
AWS IAM ABAC (Attribute-Based Access Control) is a security feature that allows you to control access to your AWS resources based on attributes. Attributes are pieces of information about users, groups, resources, or other entities. For example, you could use attributes such as department, job role, or team name to control access to your AWS resources.
How does AWS IAM ABAC work?
When you create an ABAC policy, you specify the attributes that you want to use to control access. You also specify the actions that you want to allow or deny based on those attributes. For example, you could create an ABAC policy that allows users in the “engineering” department to access all S3 buckets that have the “production” tag.
What are the benefits of using AWS IAM ABAC?
The benefits of using ABAC are the same as RBAC
What are the differences between IAM RBAC and ABAC?
The main difference between IAM RBAC and ABAC is the way each method grants access. RBAC techniques allow you to grant access by roles. ABAC techniques let you determine access by user characteristics, object characteristics, action types, and more.
When should you use AWS IAM ABAC?
You should use AWS IAM ABAC when you need to control access to your AWS resources in a fine-grained way. ABAC is also a good choice when you need to control access to your resources based on attributes that are not available in RBAC, such as the user’s department or job role.
IAM Permission Model
Tool to Apply Permission Guardrails
SCP as permission Guardrails
Sample Policy: for restricting the region
Defining a policy to deny on basis of AWS region.
Sample policy: Powerful action restriction
Defining a policy to deny is role is not like