Identity & Access Management

๐Ÿ”ฅ Vibe Prompt

"Design an IAM system with RBAC for a SaaS: admin, editor, viewer roles. Implement with AWS IAM."

RBAC Model

Users โ†’ Groups โ†’ Roles โ†’ Permissions

Example:
- Alice โ†’ Engineering Group โ†’ Developer Role โ†’ EC2, ECR access
- Bob โ†’ Finance Group โ†’ Finance Role โ†’ S3 billing bucket read
- Eve โ†’ Admin Group โ†’ Admin Role โ†’ Full access

AWS IAM

# Groups
resource "aws_iam_group" "developers" { name = "developers" }
resource "aws_iam_group" "admins" { name = "admins" }

# Policies
resource "aws_iam_group_policy" "developers" {
  name  = "developer-policy"
  group = aws_iam_group.developers.name
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = ["ec2:Describe*", "ecr:GetDownloadUrlForLayer", "s3:ListBucket"]
        Resource = "*"
      },
      {
        Effect = "Deny"
        Action = ["iam:*", "organizations:*"]
        Resource = "*"
      }
    ]
  })
}

# Users
resource "aws_iam_user" "alice" {
  name = "alice"
  groups = [aws_iam_group.developers.name]
}

Permission Boundaries

# User can't exceed boundary permissions
resource "aws_iam_policy" "boundary" {
  name = "developer-boundary"
  policy = jsonencode({
    Statement = [{
      Effect = "Allow"
      Action = ["ec2:*", "s3:*", "ecr:*"]
      Resource = "*"
    }, {
      Effect = "Deny"
      Action = ["iam:*", "organizations:*", "account:*"]
      Resource = "*"
    }]
  })
}

IAM Best Practices

| Practice | Why | |----------|-----| | Least privilege | Minimize blast radius | | Use groups | Manage by role, not individual | | Permission boundaries | Limit max permissions | | Access keys rotation | 90 days max | | MFA for all | Prevent credential theft | | No root user keys | Root = break glass only | | Audit with IAM Access Analyzer | Find unused permissions |

IAM vs SSO

IAM: AWS-native users, good for small teams
SSO (Identity Center): Centralized across AWS accounts, OKTA, Azure AD
โ†’ Use SSO for >10 users

Conditions for Extra Security

"Condition": {
  "IpAddress": {
    "aws:SourceIp": "203.0.113.0/24"  # Only from office IP
  },
  "Bool": {
    "aws:MultiFactorAuthPresent": "true"  # MFA required
  }
}

Member Exclusive Free Tutorial

This chapter is free exclusive content for registered members! Please login or register to unlock immediately.

Login / Register Now