Identity & Access Management
๐ฅ Vibe Prompt
"Design an IAM system with RBAC for a SaaS: admin, editor, viewer roles. Implement with AWS IAM."
RBAC Model
Users โ Groups โ Roles โ Permissions
Example:
- Alice โ Engineering Group โ Developer Role โ EC2, ECR access
- Bob โ Finance Group โ Finance Role โ S3 billing bucket read
- Eve โ Admin Group โ Admin Role โ Full access
AWS IAM
# Groups
resource "aws_iam_group" "developers" { name = "developers" }
resource "aws_iam_group" "admins" { name = "admins" }
# Policies
resource "aws_iam_group_policy" "developers" {
name = "developer-policy"
group = aws_iam_group.developers.name
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = ["ec2:Describe*", "ecr:GetDownloadUrlForLayer", "s3:ListBucket"]
Resource = "*"
},
{
Effect = "Deny"
Action = ["iam:*", "organizations:*"]
Resource = "*"
}
]
})
}
# Users
resource "aws_iam_user" "alice" {
name = "alice"
groups = [aws_iam_group.developers.name]
}
Permission Boundaries
# User can't exceed boundary permissions
resource "aws_iam_policy" "boundary" {
name = "developer-boundary"
policy = jsonencode({
Statement = [{
Effect = "Allow"
Action = ["ec2:*", "s3:*", "ecr:*"]
Resource = "*"
}, {
Effect = "Deny"
Action = ["iam:*", "organizations:*", "account:*"]
Resource = "*"
}]
})
}
IAM Best Practices
| Practice | Why | |----------|-----| | Least privilege | Minimize blast radius | | Use groups | Manage by role, not individual | | Permission boundaries | Limit max permissions | | Access keys rotation | 90 days max | | MFA for all | Prevent credential theft | | No root user keys | Root = break glass only | | Audit with IAM Access Analyzer | Find unused permissions |
IAM vs SSO
IAM: AWS-native users, good for small teams
SSO (Identity Center): Centralized across AWS accounts, OKTA, Azure AD
โ Use SSO for >10 users
Conditions for Extra Security
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24" # Only from office IP
},
"Bool": {
"aws:MultiFactorAuthPresent": "true" # MFA required
}
}