AWS IAM

Expands to Identity and Access Management
IAM provides a one-stop platform for control of AWS account
It has a global perspective and implementation as users, groups, policies under IAM are accessible across regions and not regional IAM
SSO can be implemented under Identity Federation by SAML
Has provision for temporary access
IAM important terms
- Resources – Objects stored in IAM are resources. They can be added, edited or removed as per need. Resources includes
  - User
  - Group
  - Role
  - Policy
  - identity provider
- Identities – It is a reference for IAM resources and, applied for identification or grouping of IAM resources. Policy association is needed for IAM identity. Identity includes
  - Users
  - Groups
  - roles
- Entities – IAM resources used for authentication. It includes
  - users
  - roles – can be assumed by IAM users, in another account or federated by web identity or SAML.
- Principals – Refer to
  - Person/application using AWS account as root user
  - an IAM user
  - IAM role which can sign in or make requests to AWS.
Terms used
- User — an end user (like…a person)
- Groups — refers to set of users linked to a specific permissions
- Policies — a document that defines permissions (which you assign to users, groups, and roles)
- Roles — this has nothing to do with the users in account. Roles are for granting permissions to resources, like an EC2 instance (it can do other cool stuff too)

Default limits for IAM entities:

Resource	Default Limit
Customer managed policies in an AWS account	1500
Groups in an AWS account	300
Roles in an AWS account	1000
Managed policies attached to an IAM role	10
Managed policies attached to an IAM user	10
Count of virtual MFA devices whether assigned/unassigned, in AWS account	Equal to the user quota for the account
Instance profiles in an AWS account	1000
Server certificates stored in an AWS account	20

Limits for IAM entities:

Resource	Limit
Count of access keys, assigned to IAM user	2
Total Access keys which can be assigned to root user of the AWS account	2
Aliases for an AWS account	1
Maximum number of groups, IAM user can join	10
Count of IAM users which can be in IAM group	Equal to user quota for AWS account
Maximum number of users in AWS account	5000 (For more users, add by temporary security credentials.)
Maximum number of Identity providers (IdPs) linked to IAM SAML provider object	10
Count of Keys / SAML provider	10
Count of Login profiles for IAM user	1
Managed policies attached to IAM group	10
Count of Permissions boundaries for AWS IAM user	1
Count of MFA devices which can be used by IAM user	1
MFA devices to be used by root user	1
Count of roles in instance profile	1
Maximum SAML providers in single AWS account	100
Number of Signing certificates linked to IAM user	2
Count of SSH public keys linked to IAM user	5
Maximum tags which can link to IAM role	50
Maximum tags which can link to IAM user	50
Count of Versions of stored managed policy	5

The following are the maximum lengths for entities:

Description	Limit
Path	512 characters
User name	64 characters
Group name	128 characters
Role name	64 characters
Tag key	128 characters
Tag value	256 characters. Tag values can be empty.
Instance profile name	128 characters
Limit for Unique IDs created by IAM	128 characters
Policy name	128 characters
Password for a login profile	1 to 128 characters
Limit for AWS account ID Alias	3 to 63 characters
Limit for JSON text in Role trust policy	2,048 characters
Role session name	64 characters
Role session duration	12 hours
For inline policies	Total size of all inline policies / entity for each type, is as – User policy – 2,048 characters Role policy – 10,240 characters Group policy – 5,120 characters
For managed policies	Maximum 10 per IAM user, role, or group. Maximum size of each policy – 6,144 characters.