Identity and Access Management

There would be no easy way to control resource usage by project or class​

There would be no effective limits on the effect of an action, making it more likely for unintended and unwanted consequences to result​

Since root has full permissions over your account resources, an account compromise at the hands of hackers would be catastrophic​

It would make it difficult to track which account user is responsible for specific actions​

The Action element refers to the way IAM will react to a request​

The * character applies an element globally—as broadly as possible​

The Resource element refers to the third-party identities that will be allowed to access the account​

The Effect element refers to the anticipated resource state after a request is granted​

Never use the account to perform any administration operations​

Enable multifactor authentication (MFA)​

Assign a long and complex password​

Delete all access keys​

It enhances security by consolidating resources​

It simplifies the management of user permissions​

It allows for quicker response times to service interruptions​

It simplifies locking down the root user​

Give your application users temporary, controlled access to other services in your AWS account​

Add user sign-up and sign-in to your applications​

Incorporate encryption infrastructure into your application lifecycle​

Deliver up-to-date credentials to authenticate RDS database requests​

Change the password and MFA settings for the root account​

Delete and re-create all existing IAM policies​

Change he passwords for all your IAM users​

Delete the former employee’s own IAM user (within the company account)​

Action

Region

Effect

Resource

“Target”: “ec2:*”​

“Action”: “ec2:*”​

“Resource”: “ec2:*”​

“Effect”: “Allow”​

Give your application users temporary, controlled access to other services in your AWS account​

Add user sign-up and sign-in to your applications​

Incorporate encryption infrastructure into your application lifecycle​

Deliver up-to-date credentials to authenticate RDS database requests​

Provide AWS resources with access to AWS services​

Provide access to externally authenticated users​

Switch roles to access resources in another AWS account (cross-account access)​

Do not support providing access to third parties​