Attached to resources, e.g., S3 bucket, SQS queue, etc.
Specify who has access and what actions they can perform
Policy evaluation
Default deny
Evaluate all applicable policies based on effective permissions (identity, session, and resource policies, SCPs, and permission boundaries)
Deny if explicit deny exists
Allow if explicit allow exists
Deny
Identity account pattern
Store all users and passwords in single account with roles to access other accounts
Steps
Create user in identity account
Create cross-account roles in each account they have access to
In identity account, grant them permission to switch to role created above
External ID is data that you provide to AWS when you AssumeRole with security token service (STS)
Used when 3rd party will assume this role
Doesn't work via UI
Permission boundaries
Limits maximum permissions that an identity-based policy can grant to an IAM entity
Version defaults to 2008-10-17 if not set, should always set to 2012-10-17
Principal defines, e.g., IAM user, federated user, IAM role, AWS service, or account
Cannot be used in identity-based policies
NotPrincipal used with Deny explicitly denies access to all principals except those listed, also requires adding an allow in the identity-based policy of the users requiring access
Condition allows specification of when policy is in effect
Service roles are assumed by AWS services to perform actions on your behalf
Pass roles allow service to assume role and perform actions on your behalf
User must have permissions to pass a role to the service
Once a role is passed and associated with a resource, other users that have permission to operate the resource can use this role even if they don't have permission to pass it
