> For the complete documentation index, see [llms.txt](https://security-notes.gitbook.io/security-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://security-notes.gitbook.io/security-notes/cloud-aws/iam.md).
# IAM
## Structure
### Global components
#### Accounts
An AWS account is a container for your AWS resources. AWS accounts are designated by a 12-digit unique number known as an Account ID (XXXX-XXXX-XX). AWS accounts are used together with IAM (access control) and AWS Identity to create a security boundary around a specific user by defining roles and allowed actions.
#### AWS Root account
To sign up for an AWS account, AWS users provide a root user e-mail address. An e-mail address can only be used as the root user e-mail address for one AWS account. The root user is considered an IAM "superuser" and has complete administrative permissions against the AWS account.
By default, root users do not have multi-factor authentication (MFA) enforced. Furthermore, root accounts that do not have MFA enabled or a phone number set are susceptible to a weak password reset workflow attack. This is commonly the case for AWS accounts created automatically using the AWS Organizations service. If an attacker gains control of the e-mail inbox for an AWS root user without MFA or a phone number on the account, the attacker will be able to send a password reset e-mail and complete a takeover of the targeted AWS account.
### IAM
#### Authentication
The authentication procedure is composed by elements called Principals. These elements are used to define access rules to services and resources. A principal falls into one of the following categories:
* **Users**: represent a person or an application. IAM Users are linked to a single AWS Account
* **Groups**: allow to easily manage users by assigning group-wide roles.
* **Roles**: a temporary privilege that can be acquired by users or resources such as lambda functions and EC2 instances
* **Policies**: a policy defines the type of operation that a specified user or role can perform on a resource. In the case of users that are members of groups, their policies are the combination of group assigned policies and the policies to the specific user
#### Authorization procedure
## Authentication
### Access Key
Create Access Key
```
aws iam create-access-key #for current user
aws iam create-access-key --user-name
```
Configure local variables
```
export AWS_SECRET_ACCESS_KEY=""
export AWS_ACCESS_KEY_ID=""
```
Alternatively these variables can be configured by running the following command on the local machine
```
aws configure
```
### Session Token
Create Session Token
```
aws sts get-session-token #for current user
aws sts get-session-token --user-name
```
Configure local variables
```
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_SESSION_TOKEN=""
```
Configure with aws command
```
aws configure
aws configure set aws_session_token
```
### Assume Role
#### Gain temporary access to a resource
CLI Command. The session name is arbitrary and is requested only for logging purposes.
```
aws sts assume-role --role-arn --role-session-name
```
Obtain temporary access to ECS instance. To be executed within the target instance
```
curl 169.254.170.2$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
```
Generate temporary credentials for Cloudshell instance. To be executed within the Cloudshell session. These credentials can be used to grant access to the shell to other users or services.
```
curl $AWS_CONTAINER_CREDENTIALS_FULL_URI -H "X-aws-ec2-metadata-token: $AWS_CONTAINER_AUTHORIZATION_TOKEN"
```
After obtaining the credentials update the local environment
```
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
export AWS_SESSION_TOKEN=""
```
## Access Control
### Accounts
Create account
```
aws iam create-login-profile --user
```
Change password
```
aws iam update-login-profile --user --password ''
```
### Granting access
Set password for AWS Console Access. If not present the IAM User is not allowed to login to AWS Dashboard and use GUI based services
```
aws iam update-login-profile --user --password ''
```
### Manage Access Keys
Enable/disable keys
```
aws iam update-access-key --access-key-id --status Active
aws iam update-access-key --access-key-id --status Inactive
```
Delete key
```
aws iam delete-access-key --access-key-id
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://security-notes.gitbook.io/security-notes/cloud-aws/iam.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.