37 lines
1.4 KiB
Markdown
37 lines
1.4 KiB
Markdown
---
|
||
title: "IAM (AWS Identity and Access Management)"
|
||
type: entity
|
||
tags: [AWS, Security, Identity, Access-Management]
|
||
date: 2026-04-19
|
||
---
|
||
|
||
## Definition
|
||
AWS IAM(身份和访问管理)是 AWS 的身份验证和授权服务,控制谁能访问 AWS 资源以及可以执行什么操作。
|
||
|
||
## Key Components
|
||
- **IAM 用户**:代表人员或应用程序的持久化身份凭证
|
||
- **IAM 组**:将多个 IAM 用户分组以简化权限管理
|
||
- **IAM 角色**:可以被临时 assum 的身份,用于授予临时权限
|
||
- **IAM 策略**:定义权限的 JSON 文档
|
||
|
||
## Core Concepts
|
||
- **联合访问**:通过外部身份提供商(如 Active Directory)映射 IAM 角色的访问方式
|
||
- **最小权限原则**:只授予完成任务所需的最小权限
|
||
- **角色信任策略**:定义谁可以 assum 该角色的策略
|
||
- **权限边界**:限制 IAM 实体最大权限的机制
|
||
|
||
## Connections
|
||
- [[AWS]] ← provides ← [[IAM (AWS Identity and Access Management)]]
|
||
- [[IAM-用户]] ← part_of ← [[IAM (AWS Identity and Access Management)]]
|
||
- [[IAM-角色]] ← part_of ← [[IAM (AWS Identity and Access Management)]]
|
||
- [[IAM-策略]] ← attached_to ← [[IAM-角色]]
|
||
- [[Active-Directory]] ← federates_to ← [[IAM-角色]]
|
||
|
||
## Use Cases
|
||
- 服务账号管理
|
||
- 跨账号访问授权
|
||
- 联合身份验证
|
||
- 最小权限访问控制
|
||
|
||
## Sources
|
||
- [[ctp-topic-5-aws-identity-and-access-management-iam]] |