brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(aws/iam): add quick quotas references

Browse Source
This commit is contained in:
Michele Cereda
2025-08-19 00:16:15 +02:00
parent f72db3ce28
commit a675694d32
1 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
knowledge base/cloud computing/aws/iam.md
View File

@@ -114,12 +114,14 @@ Refer [IAM user groups].
Collections of IAM users.<br/> Collections of IAM users.<br/>
They allow to specify permissions for multiple users. They allow to specify permissions for multiple users.
Groups can be assigned Policies. Any User in a Group inherits the Group's permissions. Groups can be assigned Policies.<br/>
Any User in a Group inherits all of that Group's permissions.
Groups **cannot** be used as Principals in a Policy.<br/> Groups **cannot** be used as Principals in a Policy.<br/>
Groups relate to permissions, not authentication, and Principals are authenticated IAM entities. Groups relate to permissions, not authentication, and Principals are authenticated IAM entities.
One Group can contain many Users, and one User can belong to multiple Groups. One Group can contain many Users, and one User can belong to up to 10 Groups at any time.<br/>
That limit is a hard limit, and **cannot** be increased in the account's quotas.
Groups can contain only Users, not Roles nor other Groups. Groups can contain only Users, not Roles nor other Groups.
@@ -136,14 +138,17 @@ Define which _actions_ are available for _principals_ on which _resources_ under
Their _effect_ can be to `allow` or `deny` such actions. A `deny` statement **always overwrites** `allow` statements. Their _effect_ can be to `allow` or `deny` such actions. A `deny` statement **always overwrites** `allow` statements.
> Watch out for explicit `Deny` statements, as they could prevent users from do seemingly completely unrelated things - > Watch out for explicit `Deny` statements, as they could prevent users from do seemingly completely unrelated things -
> like accessing a Pulumi state file in a S3 bucket when an explicit `Deny` statement blocks IAM users from listing IAM > like accessing an object in a S3 bucket when an explicit `Deny` statement blocks IAM Users from listing IAM Groups
> Groups when they are not logged in with MFA. > when they are not logged in with MFA.
Mostly stored as structured JSON documents.<br/> Mostly stored as structured JSON documents.<br/>
Each Policy comes with one or several _statements_. Each statement defines an effect. Each Policy comes with one or several _statements_. Each statement defines an effect.
IAM does **not** expose Policies' `Sid` element in the IAM API, so it **cannot** be used to filter retrieved statements. IAM does **not** expose Policies' `Sid` element in the IAM API, so it **cannot** be used to filter retrieved statements.
A User, Role or Group can have up to 10 policies by default.<br/>
This limit can be increased to 20 via quotas only for Users and Roles.
Logical evaluation: Logical evaluation:
- **Statements** in a Policy operate in an `OR` fashion.<br/> - **Statements** in a Policy operate in an `OR` fashion.<br/>
@@ -450,7 +455,7 @@ UserId: AROA2HKHF74L72AABBCCDD:botocore-session-1234567890
[creating a role to delegate permissions to an iam user]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html [creating a role to delegate permissions to an iam user]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
[how can i monitor the account activity of specific iam users, roles, and aws access keys?]: https://repost.aws/knowledge-center/view-iam-history [how can i monitor the account activity of specific iam users, roles, and aws access keys?]: https://repost.aws/knowledge-center/view-iam-history
[how to use the passrole permission with iam roles]: https://aws.amazon.com/blogs/security/how-to-use-the-passrole-permission-with-iam-roles/ [how to use the passrole permission with iam roles]: https://aws.amazon.com/blogs/security/how-to-use-the-passrole-permission-with-iam-roles/
[iam and aws sts quotas]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html [IAM and AWS STS quotas]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html
[iam json policy elements: principal]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html [iam json policy elements: principal]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
[iam json policy elements: sid]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html [iam json policy elements: sid]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_sid.html
[iam roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html [iam roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html