Let's talk about identity and access management, IAM. Here we can see IAM dashboard.

Service IAM is the main service that corresponds to permissions, what have people, your customers, if you want to provide customers,

or your developers to the AWS Management Console. Three main parts of IAM is users, roles, and policies.

Let's talk about users. Users, an IAM user, is an identity with long-term credentials that is used to interact with AWS in an account. For example, I have, therefore, user.

It's just my user, just name of user. So it has IAM when it was created, access key, and we can generate second access key,

but I have only one access key to this user, connected to this user. After that, we can see here permissions, groups. User can be a member in a group.

So a user group is a collection of IAM users. Use groups to specify permissions for a collection of users. A user can be a member of up to 10 groups at IAM. So for example, you can create user group developers

for example, without permissions to IAM, then you can have group database administrators, and they will have only access to database. Then you have tags.

Tags is a key value pairs that you can add to AWS resource to help identify, organize, or search for resources. Also, tags is important when you want to check in cost explorer,

but IAM is free of charge, so here tags is more for organize and for search. Then we have security credentials. This user is not allowed

to log in via console, so this console password is not enabled, but here console sign-in links are generated because it's just our account ID and sign in AWS.amazon.com slash console.

Then we can enable a multi-factor authorization for this user, and here we can specify access key. This access key and secret access key after generating, we can use in our AWS world

to use these credentials to operate with this user to take some changes in our AWS account. For example, now I have user,

Terraform user enabled, so we can check this ID, for example, my environment variable, so I can show you AWS,

and they have access key ID, and we can see that is the same key. So now I am using exact this user, and also this was done via AWS. Okay, so now I can try to type AWS S3,

and I will get all these S3 buckets. Then we go to permissions and try to delete, to remove all these policies from this user.

Some changes can take up to 15 seconds, but let's try immediately, almost. It's still working, so we have, yeah. Some changes take some time. And now we are not enabled,

we are this user to check buckets in our account. So for example, then we want to grant permissions to this user. We can go to and click add permissions, for example, now we are able to add permissions existing one

or create inline policy, inline policy only will be connected to this user, and the inline policy can be reusable. So then let's try to add existing permissions,

and we have here user group, backend developers with some permissions, and with one user there, and also with some policy. We can copy permission from existing permissions, from existing policies or from existing users,

or we can attach policy directly. Here we have permission policies, and this icon in this predefined policy by AWS, and also we can see here the AWS manager policy, and also how many attached entities to this policy,

so the state of access has users and some roles. But we are looking for SU,

and we want to just SU don't get. Let's try to add, and try to check our list of buckets again. It's not working yet, try once more, and it works.

So here it is how you can control permissions to your user. Let's talk about roles, and IAM role is an identity you can create that has specific permissions with credentials

that are valid for short durations. Roles can be assumed by entities that you trust. So for example, we have also here list of roles.

We don't have any predefined roles, so we have just roles that we have created, or some services created it for us when we create some, for example, when we create API gateway,

and we don't go to here to roles and create this role. While creating API gateway, service API gateway will create this role in IAM service, and create a role for himself.

The main difference between users and roles, you don't have access key ID and secret access key here, but if you want to work with Lambda, you have to grant permissions to Lambda using roles. So for example, we have here some Lambda role,

let's check it. Here we have all the same permissions, here all the same as this user, then we have trust relationship,

we have same access key value pairs, access a user, which shows us what are the services for this role in human readable format, and revolve session.

We can revolve all sessions for this role. Then we have edit here, click edit here on summary, and sometimes maybe we need to change session duration,

in max it can be four hours, but after that you have to regenerate your temporary permissions, your temporary credentials to work with this role further.

And let's talk about policies. Policy is an object in AWS that defines permission. So after creating policy, we can attach it to groups, user groups,

to users or to roles. We have customer-managed policies, and somewhere here, AWS-managed policies here. All the same, this icon means it's AWS-managed policy.

Let's try to create policy by hitting this button, create policy. And let's try to, we can create this policy using this editor, or via JSON format.

Also, my personal recommendation is to use AWS policy generator. You can select IAM policy, then we have to choose reallow or deny, and then we want to choose AWS service,

let's try SRE bucket, and we, for example, want to list all buckets. So here policy is human readable format, and we want to list all my buckets here,

and on what resource we want to allow this action. So, for example, I want to list all my buckets. So here I put a star and click add statement. So we have here adverse format policy action.

If we click generate policy, we will have full policy document. This format, we can just copy it and paste it here. We have version, version always the same,

and we have here the statement. And statement also have a seed, this is just the name of your statement, so it can be anything. So like this, I will list SRE.

Then we have actions. If you want multiple action, we can add like this. And, for example, add next action, create bucket.

And I must again specify that statement. We have create bucket here. I can copy it and paste it here. After that, I can go to the next page. I have here like a summary of permissions,

and I have to add policy name, for example, SRE list and create bucket.

And the hit create policy model. And my policy is created. Let's try to search it. I have here hidden list, and, for example, I want to add to my user, telephone user,

and by hitting add permissions here, attach policy directly, search for my permission, click here, check box, next, check details and permission summary and add permissions. And my permission will be appeared here,

and it appears here. So now I'm expand permissions of this telephone user.