Using IAM in production environments
For production environments it is best practice to use IAM roles instead of access keys. The IAM role generates and rotates the temporary keys. Applications that run on AWS are authenticated and authorized to use AWS resources securely and seamlessly.
Example use case
Consider a scenario where your application calls an AWS Lambda function and that function accesses the Amazon DynamoDB table to perform create, read, update, delete (CRUD) operations and to add logs to Amazon CloudWatch. The following diagram illustrates this example. The Lambda function requires permissions to access the DynamoDB table and CloudWatch Logs. To grant these permissions, add an execution role when you create the Lambda function.
Resources
-
How to create an IAM policy to grant AWS Lambda access to an Amazon DynamoDB table
(AWS Security blog) -
Security best practices in IAM (IAM documentation)
-
AWS Lambda execution role (Lambda documentation)