- Expands to Identity and Access Management
- IAM provides a one-stop platform for control of AWS account
- It has a global perspective and implementation as users, groups, policies under IAM are accessible across regions and not regional IAM
- SSO can be implemented under Identity Federation by SAML
- Has provision for temporary access
- IAM important terms
- Resources – Objects stored in IAM are resources. They can be added, edited or removed as per need. Resources includes
- User
- Group
- Role
- Policy
- identity provider
- Identities – It is a reference for IAM resources and, applied for identification or grouping of IAM resources. Policy association is needed for IAM identity. Identity includes
- Users
- Groups
- roles
- Entities – IAM resources used for authentication. It includes
- users
- roles – can be assumed by IAM users, in another account or federated by web identity or SAML.
- Principals – Refer to
- Person/application using AWS account as root user
- an IAM user
- IAM role which can sign in or make requests to AWS.
- Resources – Objects stored in IAM are resources. They can be added, edited or removed as per need. Resources includes
- Terms used
- User — an end user (like…a person)
- Groups — refers to set of users linked to a specific permissions
- Policies — a document that defines permissions (which you assign to users, groups, and roles)
- Roles — this has nothing to do with the users in account. Roles are for granting permissions to resources, like an EC2 instance (it can do other cool stuff too)
![](https://www.testpreptraining.com/tutorial/wp-content/uploads/2019/09/image-164-451x400.png)
Default limits for IAM entities:
Resource | Default Limit |
Customer managed policies in an AWS account | 1500 |
Groups in an AWS account | 300 |
Roles in an AWS account | 1000 |
Managed policies attached to an IAM role | 10 |
Managed policies attached to an IAM user | 10 |
Count of virtual MFA devices whether assigned/unassigned, in AWS account | Equal to the user quota for the account |
Instance profiles in an AWS account | 1000 |
Server certificates stored in an AWS account | 20 |
Limits for IAM entities:
Resource | Limit |
Count of access keys, assigned to IAM user | 2 |
Total Access keys which can be assigned to root user of the AWS account | 2 |
Aliases for an AWS account | 1 |
Maximum number of groups, IAM user can join | 10 |
Count of IAM users which can be in IAM group | Equal to user quota for AWS account |
Maximum number of users in AWS account | 5000 (For more users, add by temporary security credentials.) |
Maximum number of Identity providers (IdPs) linked to IAM SAML provider object | 10 |
Count of Keys / SAML provider | 10 |
Count of Login profiles for IAM user | 1 |
Managed policies attached to IAM group | 10 |
Count of Permissions boundaries for AWS IAM user | 1 |
Count of MFA devices which can be used by IAM user | 1 |
MFA devices to be used by root user | 1 |
Count of roles in instance profile | 1 |
Maximum SAML providers in single AWS account | 100 |
Number of Signing certificates linked to IAM user | 2 |
Count of SSH public keys linked to IAM user | 5 |
Maximum tags which can link to IAM role | 50 |
Maximum tags which can link to IAM user | 50 |
Count of Versions of stored managed policy | 5 |
The following are the maximum lengths for entities:
Description | Limit |
Path | 512 characters |
User name | 64 characters |
Group name | 128 characters |
Role name | 64 characters |
Tag key | 128 characters |
Tag value | 256 characters. Tag values can be empty. |
Instance profile name | 128 characters |
Limit for Unique IDs created by IAM | 128 characters |
Policy name | 128 characters |
Password for a login profile | 1 to 128 characters |
Limit for AWS account ID Alias | 3 to 63 characters |
Limit for JSON text in Role trust policy | 2,048 characters |
Role session name | 64 characters |
Role session duration | 12 hours |
For inline policies | Total size of all inline policies / entity for each type, is as – User policy – 2,048 characters Role policy – 10,240 characters Group policy – 5,120 characters |
For managed policies | Maximum 10 per IAM user, role, or group. Maximum size of each policy – 6,144 characters. |
AWS Certified Security - Specialty Free Practice TestTake a Quiz