# IAM

## Top 10 AWS IAM BEST Practices

* users: create individual users
* permissions: Grant least priviledge
* groups: manage permissions with groups
* conditions: restrict priviledged access further with conditions
* auditing: enable cloudTrail to get logs of API calls
* password: configure a strong password policy
* rotate: rotate security credentials regularly.
* MFA: enable MFA (Multi-Factor Authentication) for priviledged users
* sharing: use IAM roles to share access
* roles: use IAM roles for EC2 instances
* root: reduce or remove use of root

以上是policy的一些基础用法，下面讲讲policy的执行规则，它也是几乎所有访问控制方案的通用规则：

* 默认情况下，一切资源的一切行为的访问都是Deny
* 如果在policy里显式Deny，则最终的结果是Deny
* 否则，如果在policy里是Allow，则最终结果是Allow
* 否则，最终结果是Deny

## 参考资料

<https://blog.csdn.net/whatnamecaniuse/article/details/78104189>

<https://www.jianshu.com/p/f59745ae7fad?utm_campaign=maleskine&utm_content=note&utm_medium=seo_notes&utm_source=recommendation>

<https://docs.aws.amazon.com/zh_cn/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_Boolean>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kingkong.gitbook.io/kingkong/case/iam.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.