This section describes a simple business use case for IAM to help you understand basic ways you might implement the service to control the AWS access your users have. The use case is described at a high level, without the mechanics of how you'd use the IAM API to achieve the results you want.
The use case centers on a fictional company called Example Corp. After setting up an AWS account for Example Corp., we show two typical examples of how the company might use IAM—first, with Amazon Elastic Compute Cloud (Amazon EC2), and then with Amazon Simple Storage Service (Amazon S3).
For more information about using IAM with other services from AWS, including how to implement individual APIs, see AWS Services That Support IAM.
Joe is the founder of Example Corp. Upon starting the company, he creates his own AWS account and he uses AWS products by himself. Then he hires employees to work as developers, admins, testers, managers, and system administrators.
Joe uses the IAM API with the AWS account's security credentials to create a user for himself called Joe, and a group called Admins. He gives the Admins group the permissions it needs to administer users, groups, and permissions for the AWS account, and he gives the Admins group permissions to perform all actions on all the AWS account's resources (for example, root privileges).
At this point, Joe can stop using the AWS account's credentials to interact with AWS, and instead he begins using only his user credentials.
Joe also creates a group called
AllUsers so he can easily apply any
account-wide permissions to all users in the AWS account. He adds himself to the group. He
then creates a group called
Developers, a group called
Managers, and a group called
SysAdmins. He creates
users for each of his employees, and puts the users in their respective groups. He also adds
them all to the AllUsers group.
For information about how to set up an Admins group, see Creating an Administrators Group Using the CLI or API. For information about creating users, see Creating an IAM User in Your AWS Account.
This use case illustrates how Example Corp. uses IAM with Amazon EC2. To understand this part of the use case, you need to have a basic understanding of Amazon EC2. For more information about Amazon EC2, go to the Amazon EC2 User Guide for Linux Instances.
To provide "perimeter" control, Joe adds a policy to the
that denies any AWS request from a user if the originating IP address is outside the
Example Corp.'s corporate network.
At Example Corp., different groups require different permissions:
System Administrators—Need permission to
create and manage AMIs, instances, snapshots, volumes, security groups, and so on. Joe
adds a policy to the
SysAdmins group that gives members of the group
permission to use all the Amazon EC2 actions.
Developers—Need the ability to work with
instances only. Joe therefore adds a policy to the
Developers group that
allows developers to call
Amazon EC2 uses SSH keys, Windows passwords, and security groups to control who has access to specific Amazon EC2 instances. There's no method in the IAM system to allow or deny access to a specific instance.
Managers—Should not be able to perform any
EC2 actions except listing the Amazon EC2 resources currently available. Therefore, Joe
adds a policy to the
Managers group that only lets them call Amazon EC2
For examples of what these policies might look like, see Example Policies for Administering AWS Resources and Using AWS Identity and Access Management in the Amazon EC2 User Guide for Linux Instances.
At some point, one of the developers, Don, changes roles and becomes a manager. Joe
moves Don from the
Developers group to the
Managers group. Now
that he's in the
Managers group, Don's ability to interact with Amazon EC2
instances is limited. He can't launch or start instances. He also can't stop or terminate
existing instances, even if he was the user who launched or started the instance. He can
list only the instances that Example Corp. users have launched.
This use case illustrates how Example Corp. uses IAM with Amazon S3. Joe has created an
Amazon S3 bucket for the company called
As employees, Don and Mark each need to be able to create their own data in the
company's bucket, as well as read and write shared data that all developers will work on.
To enable this, Joe logically arranges the data in
example_bucket using an
Amazon S3 key prefix scheme as shown in the following figure.
/example_bucket /home /don /mark /share /developers /managers
Joe divides the master
/example_bucket into a set of home directories for
each employee, and a shared area for groups of developers and managers.
Now Joe creates a set of policies to assign permissions to the users and groups:
Home directory access for Don: Joe assigns a policy
to Don that lets him read, write, and list any objects with the Amazon S3 key prefix
Home directory access for Mark: Joe assigns a
policy to Mark that lets him read, write, and list any objects with the Amazon S3 key
Shared directory access for the Developers group:
Joe assigns a policy to the group that lets developers read, write, and list any
Shared directory access for the Managers group: Joe
assigns a policy to the group that lets managers read, write, and list objects in
Amazon S3 doesn't automatically give a user who creates a bucket or object permission to perform other actions on that bucket or object. Therefore, in your IAM policies, you must explicitly give users permission to use the Amazon S3 resources they create.
The preceding set of policies clearly defines the actions and resources available in IAM bucket policies or bucket Access Control Lists (ACLs) when anyone in the company attempts to work on data in the corporate space. For examples of what these policies might look like, see Access Control in the Amazon Simple Storage Service Developer Guide. For information on how policies are evaluated at run time, see IAM Policy Evaluation Logic.
At some point, one of the developers, Don, changes roles and becomes a manager. We'll
assume he no longer needs access to the documents in the
directory. Joe, as an admin, moves Don to the
Managers group and out of the
Developers group. With just that simple reassignment, Don automatically
gets all permissions granted to the
Managers group, but can no longer access
data in the
Organizations often work with partner companies, consultants, and contractors. Example
Corp. has a partner called the Widget Company, and a Widget Company employee named Nate
needs to put data into a bucket for Example Corp.'s use. Joe creates a group called
WidgetCo and a user named
Nate and adds Nate to the WidgetCo group. Joe also
creates a special bucket called
example_partner_bucket for Nate to
Joe updates existing policies or adds new ones to accommodate the partner Widget Company. For example, Joe can create a new policy that denies members of the WidgetCo group the ability to use any actions other than write. This policy would be necessary only if there's a broad policy that gives all users access to a wide set of Amazon S3 actions.