IAM policies provide security depth
1. IAM policies provide security depth
It’s important to know who has access to what. In security, making sure the appropriate people can (or can’t) access certain things is essential to maintaining strong security measures. In this video, we’ll explore identity and access management, or IAM. Let’s cover some key parts of IAM: roles, principals, and policies. Roles are a collection of permissions that can be applied to principals. Permissions determine the actions a principal can take. And principals represent either an end user or an application. Principals can take several forms, like a Google account for end users, or service accounts for workloads and applications. A service account is a non-human identity that is typically granted to virtual machines, applications, and services. They’re granted IAM roles to perform certain actions. Principals are assigned a role that grants permissions, rules, policies, or constraints. Depending on these role assignments, principals are then granted access to their organization’s applications and resources. So, to recap, roles are a way to organize the permissions of each principal. Granting a role to a principal transfers all the role’s permissions. For example, a person on your team might need access to a storage bucket. To get access to the bucket’s content, they would first need to be granted the correct role. When granting roles, it’s important to apply the least amount of privileges. Only grant a user or principal enough access to perform their job. Categorizing principals as end users or service accounts is helpful, but what if you work for a company with hundreds of users? Groups are a solution to combining principals. Organizations can use groups to combine users or service accounts together to more easily assign access controls for larger sets of accounts, instead of assigning individual access one-by-one. Next, we’ll go over policies. Organizations can set allow or deny policies that attach roles or deny permissions to resources. An allow policy is a type of access a principal has, and sets conditions on this access. A deny policy is a constraint that sets rules to prevent principals from carrying out certain actions. It’s an IAM best practice to create an allow policy for groups instead of multiple individual accounts. For example, an engineering team might consist of 50 people. Instead of setting a policy for each individual person, it’s more efficient to create a group for the team members, then use an allow policy to bind the group to a role that has the permissions needed to perform their job. In this video, you learned about several key parts of IAM. With an understanding of roles, principals, and policies, you’ll be better equipped to secure your resources. Making sure the right people have the appropriate access permissions will allow you to keep data and assets secure.2. Let's practice!
Create Your Free Account
or
By continuing, you accept our Terms of Use, our Privacy Policy and that your data is stored in the USA.