From a675694d32529fd435fcf86555bd2afd031b3b4a Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Tue, 19 Aug 2025 00:16:15 +0200 Subject: [PATCH] chore(aws/iam): add quick quotas references --- knowledge base/cloud computing/aws/iam.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/knowledge base/cloud computing/aws/iam.md b/knowledge base/cloud computing/aws/iam.md index 827386d..44f51a6 100644 --- a/knowledge base/cloud computing/aws/iam.md +++ b/knowledge base/cloud computing/aws/iam.md @@ -114,12 +114,14 @@ Refer [IAM user groups]. Collections of IAM users.
They allow to specify permissions for multiple users. -Groups can be assigned Policies. Any User in a Group inherits the Group's permissions. +Groups can be assigned Policies.
+Any User in a Group inherits all of that Group's permissions. Groups **cannot** be used as Principals in a Policy.
Groups relate to permissions, not authentication, and Principals are authenticated IAM entities. -One Group can contain many Users, and one User can belong to multiple Groups. +One Group can contain many Users, and one User can belong to up to 10 Groups at any time.
+That limit is a hard limit, and **cannot** be increased in the account's quotas. Groups can contain only Users, not Roles nor other Groups. @@ -136,14 +138,17 @@ Define which _actions_ are available for _principals_ on which _resources_ under Their _effect_ can be to `allow` or `deny` such actions. A `deny` statement **always overwrites** `allow` statements. > Watch out for explicit `Deny` statements, as they could prevent users from do seemingly completely unrelated things - -> like accessing a Pulumi state file in a S3 bucket when an explicit `Deny` statement blocks IAM users from listing IAM -> Groups when they are not logged in with MFA. +> like accessing an object in a S3 bucket when an explicit `Deny` statement blocks IAM Users from listing IAM Groups +> when they are not logged in with MFA. Mostly stored as structured JSON documents.
Each Policy comes with one or several _statements_. Each statement defines an effect. IAM does **not** expose Policies' `Sid` element in the IAM API, so it **cannot** be used to filter retrieved statements. +A User, Role or Group can have up to 10 policies by default.
+This limit can be increased to 20 via quotas only for Users and Roles. + Logical evaluation: - **Statements** in a Policy operate in an `OR` fashion.
@@ -450,7 +455,7 @@ UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890 [creating a role to delegate permissions to an iam user]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html [how can i monitor the account activity of specific iam users, roles, and aws access keys?]: https://repost.aws/knowledge-center/view-iam-history [how to use the passrole permission with iam roles]: https://aws.amazon.com/blogs/security/how-to-use-the-passrole-permission-with-iam-roles/ -[iam and aws sts quotas]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html +[IAM and AWS STS quotas]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html [iam json policy elements: principal]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html [iam json policy elements: sid]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html [iam roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html