https://blog-dev.simpleenough.net/tags/iam/Recent content in IAM on Simple Enough BlogHugoenTue, 27 May 2025 15:33:47 +0200https://blog-dev.simpleenough.net/blog/iam/Tue, 27 May 2025 15:33:47 +0200https://blog-dev.simpleenough.net/blog/iam/<h2 id="i-iam-core-components-and-concepts" class="heading">I. IAM: Core Components and Concepts<a href="#i-iam-core-components-and-concepts" aria-labelledby="i-iam-core-components-and-concepts"> <!-- <i class="fas fa-link anchor"></i> --> <svg class="svg-inline--fa fas fa-link anchor" fill="currentColor" aria-hidden="true" role="img" viewBox="0 0 640 512"><use href="#fas-link"></use></svg>&nbsp; </a> </h2> <p>IAM is based on <strong>entities</strong> and <strong>policies</strong>.</p> <h3 id="iam-entities" class="heading">IAM Entities<a href="#iam-entities" aria-labelledby="iam-entities"> <!-- <i class="fas fa-link anchor"></i> --> <svg class="svg-inline--fa fas fa-link anchor" fill="currentColor" aria-hidden="true" role="img" viewBox="0 0 640 512"><use href="#fas-link"></use></svg>&nbsp; </a> </h3> <ul> <li><strong>Users</strong>: Represent people or applications. Example: a developer named &ldquo;alice&rdquo;.</li> <li><strong>Groups</strong>: Collections of users sharing the same permissions.</li> <li><strong>Roles</strong>: IAM entities that can be temporarily assumed by others. Ideal for <strong>federation</strong> or services like EC2 or Lambda.</li> <li><strong>Policies</strong>: JSON documents that define permissions attached to an entity.</li> </ul> <h3 id="sample-json-policy" class="heading">Sample JSON Policy<a href="#sample-json-policy" aria-labelledby="sample-json-policy"> <!-- <i class="fas fa-link anchor"></i> --> <svg class="svg-inline--fa fas fa-link anchor" fill="currentColor" aria-hidden="true" role="img" viewBox="0 0 640 512"><use href="#fas-link"></use></svg>&nbsp; </a> </h3> <div class="mb-3 syntax-highlight"><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Version&#34;</span>: <span style="color:#e6db74">&#34;2012-10-17&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Statement&#34;</span>: [ </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Effect&#34;</span>: <span style="color:#e6db74">&#34;Allow&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Action&#34;</span>: <span style="color:#e6db74">&#34;s3:ListBucket&#34;</span>, </span></span><span style="display:flex;"><span> <span style="color:#f92672">&#34;Resource&#34;</span>: <span style="color:#e6db74">&#34;arn:aws:s3:::example_bucket&#34;</span> </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> ] </span></span><span style="display:flex;"><span>}</span></span></code></pre></div></div><p>This IAM policy allows an AWS entity (user, role, or group) to list the objects in a specific S3 bucket named <code>example_bucket</code>. It uses the standard IAM version format (<code>2012-10-17</code>) and allows the <code>s3:ListBucket</code> action on the resource identified by its ARN. It lets the entity see the list of objects (names, sizes, metadata), but not read or modify them—unless additional permissions are granted. This minimal policy is often used for inventory or bucket navigation via the AWS Console or API.</p>