Identity and Access Management (IAM) for AWS Outposts - AWS Outposts

Identity and Access Management (IAM) for AWS Outposts

AWS Identity and Access Management (IAM) is an AWS service that helps an administrator securely control access to AWS resources. IAM administrators control who can be authenticated (signed in) and authorized (have permissions) to use AWS resources. IAM enables you to create users and groups under your AWS account. You control the permissions that users have to perform tasks using AWS resources. You can use IAM for no additional charge.

By default, IAM users don't have permissions for AWS Outposts resources and operations. To allow IAM users to manage AWS Outposts resources, you must create an IAM policy that explicitly grants them permissions, and attach the policy to the IAM users or groups that require those permissions.

When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources. For more information, see Policies and Permissions in the IAM User Guide.

Before you use IAM to manage access to AWS Outposts, make sure that you understand what IAM features are available to use with AWS Outposts. To get a high-level view of how AWS Outposts and other AWS services work with IAM, see AWS Services That Work with IAM in the IAM User Guide.

Policy structure

An IAM policy is a JSON document that consists of one or more statements. Each statement is structured as follows.

{ "Statement":[{ "Effect":"effect", "Action":"action", "Resource":"*", "Condition":{ "condition":{ "key":"value" } } } ] }

There are various elements that make up a statement:

  • Effect: The effect can be Allow or Deny. By default, IAM users don't have permission to use resources and API actions, so all requests are denied. An explicit allow overrides the default. An explicit deny overrides any allows.

  • Action: The action is the specific API action for which you are granting or denying permission.

  • Resource: The resource that's affected by the action. Some API actions allow you to include specific resources in your policy that can be created or modified by the action. To specify a resource in the statement, you must use its Amazon Resource Name (ARN).

  • Condition: Conditions are optional. Use them to control when your policy is in effect.

Example policies

In an IAM policy statement, you can specify any API action from any service that supports IAM. For AWS Outposts, use the following prefix with the name of the API action: outposts:. For example:

  • outposts:CreateOutpost

  • outposts:DescribeOutposts

To specify multiple actions in a single statement, separate them with commas.

"Action": ["outposts:action1", "outposts:action2"]

You can also specify multiple actions using wildcards. For example, you can specify all AWS Outposts API actions whose name begins with the word "Get".

"Action": "outposts:Get*"

To specify all AWS Outposts API actions, use the * wildcard.

"Action": "outposts:*"

Using temporary credentials with AWS Outposts

You can use temporary credentials to sign in with federation, assume an IAM role, or assume a cross-account role. Obtain temporary security credentials by calling AWS STS API operations, such as AssumeRole or GetFederationToken.

AWS Outposts supports using temporary credentials.

Service-linked roles

Service-linked roles allow AWS services to access resources in other services to complete an action on your behalf. Service-linked roles appear in your IAM account and are owned by the service. An IAM administrator can view but not edit the permissions for service-linked roles.

AWS Outposts supports service-linked roles. For information about creating or managing AWS Outposts service-linked roles, see Using service-linked roles for AWS Outposts.

Services that require permission to manage AWS Outposts resources

Some AWS services require permissions to manage Outpost resources, such as the local gateway route table or customer owned IP (CoIP) address pools. These services can call permission-only actions to manage these resources. A permission-only action can be called only by an AWS service. To make these actions available, you assign a service-linked role to grant the calling service permission to manage these resources.

For example, if you assign an Amazon RDS service-linked role that adds one or more of these permissions to your DB instance, Amazon RDS can call these permission-only actions on your behalf. For more information, see Working with Amazon RDS on AWS Outposts and Service-linked role permissions for Amazon RDS in the Amazon RDS User Guide.

The following list contains permission-only actions that AWS services might call on your behalf. Consult the service-linked role of the service that you're using to determine if your service requires these actions.

CreateLocalGatewayRouteTablePermission

Grants permission to allow a service to access a local gateway route table.

DeleteLocalGatewayRouteTablePermission

Grants permission to deny a service from accessing a local gateway route table.

DescribeLocalGatewayRouteTablePermissions

Grants permission to allow a service to describe local gateway route table permissions.

CreateCoipPoolPermission

Grants permission to allow a service to access a customer owned IP (CoIP) pool.

DeleteCoipPoolPermission

Grants permission to deny a service from accessing a customer owned IP (CoIP) pool.

Considerations

AWS Outposts does not support specifying resource ARNs in an IAM policy or controlling access based on tags.

AWS Outposts does not provide condition keys for any specific service, but it does support using some global condition keys. To see all AWS global condition keys, see AWS Global Condition Context Keys in the IAM User Guide.