# IAM

* Consists of the following:
  * Users
  * Groups
  * Roles
  * Policies
* IAM is universal, it does not apply to regions, works across all regions
* Least privileges  principle used: when new users, groups or roles are created, they don't get any permissions until explicitly granted

### IAM Policies

* **AWS-managed policy** - an IAM policy which is created and administered by AWS. These AWS-provided policies allow you to assign appropriate permissions to your users, groups and roles without having to write the policy yourself. A single managed policy can be attached to multiple users, groups or roles within the same AWS account and across different accounts. You can not change the permissions defined in an AWS-managed policy.
* **Customer-managed policy** - a standalone policy that you create and administer inside your own AWS account. You can attach this policy to multiple users, groups and roles - but only within your own account.
* **Inline policy** - an IAM policy which is embedded within a single user, group or role to which it applies. There is a strict 1:1 relationship between the entity and the policy. When you delete the user, group or role in which the inline policy is embedded, the policy is also be deleted.

#### MFA Reporting and IAM

* You can enable MFA using the CLI and by using Console.
* MFA can be enabled on both root account and user accounts.
* You can enforce the use of MFA with the CLI by using the STS token service.
* You can report on who's using the MFA on a per-user basis using the `Credentials Report`

<https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/>

`aws iam create-virtual-mfa-device --virtual-mfa-device-name EC2-User --outfile /home/ec2-user/QRCode.png --bootstrap-method QRCodePNG aws iam enable-mfa-device --user-name EC2-User --serial-number arn:aws:iam::"USERNUMBERHERE":mfa/EC2-User --authentication-code-1 "CODE1HERE" --authentication-code-2 "CODE2HERE"`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notebook.iuriioapps.com/cloud/aws/security_and_compliance/iam.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.