[{"data":1,"prerenderedAt":277},["ShallowReactive",2],{"term-i\u002Fiam":3,"related-i\u002Fiam":254},{"id":4,"title":5,"acronym":6,"body":7,"category":231,"description":232,"difficulty":233,"extension":234,"letter":235,"meta":236,"navigation":237,"path":238,"related":239,"seo":247,"sitemap":248,"stem":251,"subcategory":252,"__hash__":253},"terms\u002Fterms\u002Fi\u002Fiam.md","IAM","Identity and Access Management",{"type":8,"value":9,"toc":225},"minimark",[10,15,19,23,26,30,214,218,221],[11,12,14],"h2",{"id":13},"eli5-the-vibe-check","ELI5 — The Vibe Check",[16,17,18],"p",{},"IAM is the permission system for AWS. It controls who (users, roles, services) can do what (read S3, start EC2, invoke Lambda) on which resources. Got locked out of your own AWS account? IAM. Lambda can't access your database? IAM. Security breach from over-permissive roles? Also IAM.",[11,20,22],{"id":21},"real-talk","Real Talk",[16,24,25],{},"AWS IAM is the access control system for AWS. It manages users, groups, roles, and policies. Policies are JSON documents defining allowed\u002Fdenied actions on resources. IAM roles allow AWS services to assume permissions without embedding credentials. The principle of least privilege should always be applied.",[11,27,29],{"id":28},"show-me-the-code","Show Me The Code",[31,32,37],"pre",{"className":33,"code":34,"language":35,"meta":36,"style":36},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","\u002F\u002F IAM policy — allow S3 read only on a specific bucket\n{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [{\n    \"Effect\": \"Allow\",\n    \"Action\": [\"s3:GetObject\", \"s3:ListBucket\"],\n    \"Resource\": [\n      \"arn:aws:s3:::my-bucket\",\n      \"arn:aws:s3:::my-bucket\u002F*\"\n    ]\n  }]\n}\n","json","",[38,39,40,49,56,84,99,122,157,172,185,196,202,208],"code",{"__ignoreMap":36},[41,42,45],"span",{"class":43,"line":44},"line",1,[41,46,48],{"class":47},"sHwdD","\u002F\u002F IAM policy — allow S3 read only on a specific bucket\n",[41,50,52],{"class":43,"line":51},2,[41,53,55],{"class":54},"sMK4o","{\n",[41,57,59,62,66,69,72,75,79,81],{"class":43,"line":58},3,[41,60,61],{"class":54},"  \"",[41,63,65],{"class":64},"spNyl","Version",[41,67,68],{"class":54},"\"",[41,70,71],{"class":54},":",[41,73,74],{"class":54}," \"",[41,76,78],{"class":77},"sfazB","2012-10-17",[41,80,68],{"class":54},[41,82,83],{"class":54},",\n",[41,85,87,89,92,94,96],{"class":43,"line":86},4,[41,88,61],{"class":54},[41,90,91],{"class":64},"Statement",[41,93,68],{"class":54},[41,95,71],{"class":54},[41,97,98],{"class":54}," [{\n",[41,100,102,105,109,111,113,115,118,120],{"class":43,"line":101},5,[41,103,104],{"class":54},"    \"",[41,106,108],{"class":107},"sBMFI","Effect",[41,110,68],{"class":54},[41,112,71],{"class":54},[41,114,74],{"class":54},[41,116,117],{"class":77},"Allow",[41,119,68],{"class":54},[41,121,83],{"class":54},[41,123,125,127,130,132,134,137,139,142,144,147,149,152,154],{"class":43,"line":124},6,[41,126,104],{"class":54},[41,128,129],{"class":107},"Action",[41,131,68],{"class":54},[41,133,71],{"class":54},[41,135,136],{"class":54}," [",[41,138,68],{"class":54},[41,140,141],{"class":77},"s3:GetObject",[41,143,68],{"class":54},[41,145,146],{"class":54},",",[41,148,74],{"class":54},[41,150,151],{"class":77},"s3:ListBucket",[41,153,68],{"class":54},[41,155,156],{"class":54},"],\n",[41,158,160,162,165,167,169],{"class":43,"line":159},7,[41,161,104],{"class":54},[41,163,164],{"class":107},"Resource",[41,166,68],{"class":54},[41,168,71],{"class":54},[41,170,171],{"class":54}," [\n",[41,173,175,178,181,183],{"class":43,"line":174},8,[41,176,177],{"class":54},"      \"",[41,179,180],{"class":77},"arn:aws:s3:::my-bucket",[41,182,68],{"class":54},[41,184,83],{"class":54},[41,186,188,190,193],{"class":43,"line":187},9,[41,189,177],{"class":54},[41,191,192],{"class":77},"arn:aws:s3:::my-bucket\u002F*",[41,194,195],{"class":54},"\"\n",[41,197,199],{"class":43,"line":198},10,[41,200,201],{"class":54},"    ]\n",[41,203,205],{"class":43,"line":204},11,[41,206,207],{"class":54},"  }]\n",[41,209,211],{"class":43,"line":210},12,[41,212,213],{"class":54},"}\n",[11,215,217],{"id":216},"when-youll-hear-this","When You'll Hear This",[16,219,220],{},"\"Give the Lambda an IAM role with S3 write permissions.\" \u002F \"Never use root credentials — create an IAM user with limited permissions.\"",[222,223,224],"style",{},"html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":36,"searchDepth":51,"depth":51,"links":226},[227,228,229,230],{"id":13,"depth":51,"text":14},{"id":21,"depth":51,"text":22},{"id":28,"depth":51,"text":29},{"id":216,"depth":51,"text":217},"cloud","IAM is the permission system for AWS. It controls who (users, roles, services) can do what (read S3, start EC2, invoke Lambda) on which resources.","intermediate","md","i",{},true,"\u002Fterms\u002Fi\u002Fiam",[240,241,242,243,244,245,246],"AWS","Security Group","VPC","Service Account","Lambda","EC2","S3",{"title":5,"description":232},{"changefreq":249,"priority":250},"weekly",0.7,"terms\u002Fi\u002Fiam",null,"BVs7QRa0v5YqsqrMZfdP71SyS8AQ6xVT-mNoFStR8O0",[255,260,264,267,271,274],{"title":240,"path":256,"acronym":257,"category":231,"difficulty":258,"description":259},"\u002Fterms\u002Fa\u002Faws","Amazon Web Services","beginner","AWS is like a giant magical warehouse where you can rent computers, storage, databases, and basically anything tech-related — by the minute.",{"title":245,"path":261,"acronym":262,"category":231,"difficulty":233,"description":263},"\u002Fterms\u002Fe\u002Fec2","Elastic Compute Cloud","EC2 is AWS's way of renting you a virtual computer in the cloud. You pick how powerful it is, what OS it runs, and pay by the hour.",{"title":244,"path":265,"acronym":252,"category":231,"difficulty":233,"description":266},"\u002Fterms\u002Fl\u002Flambda","AWS Lambda is where you upload a function and AWS runs it when something happens — an HTTP request, a file upload, a database change.",{"title":246,"path":268,"acronym":269,"category":231,"difficulty":258,"description":270},"\u002Fterms\u002Fs\u002Fs3","Simple Storage Service","S3 is Amazon's giant file locker in the sky.",{"title":241,"path":272,"acronym":252,"category":231,"difficulty":233,"description":273},"\u002Fterms\u002Fs\u002Fsecurity-group","A security group is a firewall for your cloud resources. You write rules like 'allow port 443 from anywhere' or 'allow port 5432 only from the app servers.",{"title":243,"path":275,"acronym":252,"category":231,"difficulty":233,"description":276},"\u002Fterms\u002Fs\u002Fservice-account","A service account is a special non-human account that your app or service uses to authenticate with cloud APIs.",1776518287661]