To use AWS services, you must grant users and applications access to resources in your AWS account. As you run more workloads on AWS, you need strong identity management and permissions in place to ensure that the right people have access to the right resources under the right conditions. AWS offers a wide selection of capabilities to help you manage human and machine identities and their permissions. Best practices for these capabilities fall into two main areas:
There are two types of identities you need to manage when approaching secure AWS workload operations.
Human identity: Your application administrators, developers, operators, and consumers require identities to access your AWS applications and environments. This can be a member of your organization or an external user that you collaborate with and interact with your AWS resources through a web browser, client application, mobile application, or interactive command line tool .
Machine identity: Your workload applications, operations engines, and components require identity to make requests to AWS services, such as to read data. These identities include machines running in your AWS environment, such as Amazon EC2 instances or AWS Lambda functions. You can also manage machine identities for external parties that need access. Additionally, you may also have machines outside of AWS that need access to your AWS environment.
Manage permissions to control access to human and machine identities that request access to AWS and your workloads. Control over who can access what and under what conditions. Set permissions for specific human and machine identities to grant access to specific service actions on specific resources. For example, you can allow developers to create new Lambda functions, but only in a specific Region.
There are several ways to grant access to different types of resources. One way is to use different types of policies.