> AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources. (https://aws.amazon.com/iam/) ## Concepts ### Policy types AWS supports five types of policy, each applying to a different scope:  [^fn1] [^fn1]: [Effective IAM for AWS (book)](https://www.effectiveiam.com/ch2-control-access-to-any-resource) by [[@Stephen Kuenzli]] ![[effective-iam-policy-types-table.png]] - [[IAM Permissions Boundary]] - [[IAM SigV4 signing process]] ## Tools - [Review last accessed roles and permissions](https://aws.amazon.com/blogs/security/review-last-accessed-information-to-identify-unused-ec2-iam-and-lambda-permissions-and-tighten-access-for-iam-roles/) - [`serverless-iam-roles-per-function`](https://github.com/functionalone/serverless-iam-roles-per-function) - [[Serverless Framework]] plugin for defining lowest privilege IAM permissions at a per-function level (as opposed to at the per-service level which is the framework default) - [Changelog of IAM permissions](https://www.awsiamchanges.com) - [awsiam.info - IAM Search](https://www.awsiam.info)—quickly search for specific permissions across all services. ## See also - [[Create IAM user for new AWS account administrator]] --- ## References - [IAM Service Authorization Reference (official AWS docs)](https://docs.aws.amazon.com/service-authorization/latest/reference/reference.html) - what permissions are available for every service and what format ARNs take - [AWS Authentication: Principals in AWS IAM](https://ben11kehoe.medium.com/principals-in-aws-iam-38c4a3dc322a) by [[@Ben Kehoe]]