To protect the resources inside an AWS account you need to manage who can do what. The IAM service defines who can access the account and what is allowed and what is not.
But access control is not easy. There are many concepts, such as principals and policies, that seem overwhelming at first.
This book is a comprehensive yet practical guide for access control in AWS.
Want a sneak peek? Sign up for free chapters here:
Then this book is for you.
When I started out with AWS I felt it was an obstacle, making everything a lot harder than necessary. Everything was hidden behind some technical jargon and it wasn't intuitive at all where to configure things. Then its JSON policy structure required a lot of searching for solutions. IAM was in my way whatever I wanted to do.
After a bit of learning, I started to see the underlying logic behind all those obscure terminology that felt so distant at first. The identities, the types and structure of the policies all fit into a bigger picture that defines the security posture of an account.
AWS offers several other security services: Security Hub, Config, CloudTrail, GuardDuty, to name a few. They are great to detect problems or help with investigations.
But all of them are in the second line. The security of an account depends on the configuration of who can do what. Intrusion detection and logging are secondary to access control.
This book has all the information in an easy-to-follow format to understand IAM and use it effectively. You'll learn:
Access control basics
Where IAM controls access
Inline and managed policies
Service Control Policy (SCP)
Step 1: Build the request context
Step 2: Collect all applicable policies
Step 3: Run the evaluation logic
Identity policies to allow access
Resource policy to deny access
Resource policy to allow access
Tag-based access control
How to secure an AWS account
Security as an AWS administrator
Do not reuse credentials
Minimize the number of policies
Use separate accounts via Organizations
Implement least privilege
Minimize transitive permissions
Use monitoring and logging
Security as a developer
Follow an additive permission strategy
Use roles instead of users where possible
Maintain an identical test environment
Automate security checks
I'm a software developer focusing mostly on cloud computing and web technologies. I'm especially interested in how to handle edge cases to end up with dependable software.
One of my main focus is security and how each part affects the whole system. I'm an AWS-certified security specialist.
The book is available from these stores: