> For the complete documentation index, see [llms.txt](https://awsarch.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://awsarch.adot8.com/module-3.md).

# Module 3

### AWS Shared responsibility model

<figure><img src="/files/W16pGZWeFVwjwetXDnco" alt=""><figcaption></figcaption></figure>

### All about Security Principals, Securing Access and IAM

{% embed url="<https://awsfdn.adot8.com/module-4>" %}

### IAM Terminology

<table><thead><tr><th width="147">Term (IAM)</th><th>Definition</th></tr></thead><tbody><tr><td>Resource</td><td>User, group, role, policy and identity-provider objects stored in IAM</td></tr><tr><td>Entity</td><td>IAM resource objects that are used by AWS for authentication (users and roles)</td></tr><tr><td>Identity</td><td>IAM resource objects that can be authorized in policies to perform actions and access resources (user, group, or role)</td></tr><tr><td>Pricipal</td><td>Person or application that can sign in and make requests to AWS</td></tr></tbody></table>

<figure><img src="/files/BdrauWSAS3yRLxxrCtRI" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
An AWS Key is needed for the AWS CLI and to make programmatic calls to AWS
{% endhint %}

### Best Practices

* Follow the principle of least privilege.
* Enable Multifactor authentication (MFA)
* Require human users to access AWS by using temporary credentials.
* Rotate access keys for use cases that require long-term credentials.
* Use strong, complex passwords
* Secure local credentials.
* Use AWS Organizations.
* Enable AWS CloudTrail.
* Protect the root user

{% hint style="danger" %}
Plz protect the root user :-)
{% endhint %}

<figure><img src="/files/BntMt58zRVKQHCvjtZiN" alt=""><figcaption></figcaption></figure>

### IAM Roles

* Charities
  * Provides temporary security credentials
  * Isn't uniquely associated with one person
  * Can be assumed by a person, application or service
  * It is often used to delegate access
* Use cases
  * An application that runs on Amazon Elastic Compute Cloud (Amazon EC2)
  * Cross-account access for an IAM user
  * Mobile application

### IAM Policies and Permissions

Two types of policies:

* Identity-based: Attach to an IAM user, group or role
* Resourced-based: Attach to an AWS resource

These can be used at the same time, are formatted in JSON, allow or deny, follow least privilege.

<figure><img src="/files/DRDjKC6oWDz9DQEF67gl" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/g4t0uiKt1Y5cRCUx57Yx" alt=""><figcaption></figcaption></figure>

### Example of a resource-based policy

<figure><img src="/files/nyczS0WDpOVzDUbrIr4f" alt=""><figcaption></figcaption></figure>

### Practice

<figure><img src="/files/4fV3N1KCvrKUIWbAeFLk" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/JurDkKLU0tdjd3OAtJml" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/s2cUQrpA0TcIDqMSM6We" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://awsarch.adot8.com/module-3.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
