(Part 4 of 4 - see previous post if you missed it)
The AWS Identity and Access Management
(IAM) system is how you can create additional users for your account
that have adjustable privileges. Even if you did want to sign in to
your account as a user that can do everything, you should still create
an IAM user for which to sign in with to do that work, as the more a given password is used, the greater the chance that somehow it will be accidentally exposed. But, thankfully, an IAM user, even with
full administrative privileges, can still be ultimately disabled by the
root user, which is your last line of defense.
You can create many IAM users for your AWS account (both for yourself and for other people), and it's up to you how much access each one gets. Even if you're the only person accessing your account, it can be helpful to create a different IAM user for each different type of activity you might be performing. If nothing else, this can help limit unfortunate accidents: if you're signed in as a "read only" user (say, just to poke around and check on things), then there's no way to accidentally delete some critical resource with a misplaced mouse click!
Just keep in mind that the more access an IAM user has, the more concerned you need to be about security for that user. With a user that has maximum access, you will want to take as many precautions with the password (including making it completely unique) as you would for your root user. (Although the root user can always disable any IAM user, significant damage can still occur before the need for that is recognized.)
Now, I've just spent four posts going on about security, but that really is the most important aspect of getting ready for AWS. It's an important enough topic that there are entire blogs devoted to it, including the AWS Security Blog. But
now that you're feeling appropriately cautious, keep watching this space for more
articles that get into the fun stuff!
No comments:
Post a Comment