Users & Groups

Global Service
Controls access to AWS services.
Uses roles, policies, and users.
Root account created by default, shouldn’t be used or shared.
Users are people within your organization, and can be grouped.
Groups only contain users not other groups
Users don’t have to belong to a group, and user can belong to multiple groups.

When we created an account on AWS we created a root acount by default. This is root user of our account. You should use this only when creating your account. You shouldn’t use that account anymore or even share it. What should you do then? Create users.

So why do we create users and why do we create groups? Because we want to allow them to use our AWS accounts and allow to them to do so, we have to give them permissions.

Permissions

Users or groups can be assigned JSON documents called policies.
These policies define the permissons of the users.
In AWS you apply the least privilege principle: don’t give more permissions than a user needs.

Policies Structure

{
  "Version": "2012-10-17",
  "Id": "S3-Account-Permissions",
  "Statement": [
    {
	    "Sid": "1",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::example-bucket"
    },
    {
      "Effect": "Allow",
      "Principal": {
	      "AWS": ["arn:aws:iam::123456789012:root"]
	     },
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}

Users & Groups

Permissions

Policies Structure

1. "Version": "2012-10-17"

1. `"Version": "2012-10-17"`