Back to Details

iam

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

AWS IAM

AWS IAM

AWS Identity and Access Management (IAM) enables secure access control to AWS services and resources. IAM is foundational to AWS security—every AWS API call is authenticated and authorized through IAM.
AWS Identity and Access Management (IAM) 可实现对AWS服务和资源的安全访问控制。IAM是AWS安全的基础——每一个AWS API调用都需通过IAM进行身份验证和授权。

Table of Contents

目录

Core Concepts

核心概念

Principals

主体

Entities that can make requests to AWS: IAM users, roles, federated users, and applications.
可向AWS发起请求的实体:IAM用户、角色、联合用户和应用程序。

Policies

策略

JSON documents defining permissions. Types:
  • Identity-based: Attached to users, groups, or roles
  • Resource-based: Attached to resources (S3 buckets, SQS queues)
  • Permission boundaries: Maximum permissions an identity can have
  • Service control policies (SCPs): Organization-wide limits
定义权限的JSON文档。类型包括:
  • 基于身份的策略:附加到用户、用户组或角色
  • 基于资源的策略:附加到资源(如S3存储桶、SQS队列)
  • 权限边界:限制身份可拥有的最大权限
  • 服务控制策略(SCPs):组织级别的权限限制

Roles

角色

Identities with permissions that can be assumed by trusted entities. No permanent credentials—uses temporary security tokens.
具备权限的身份,可被受信任的实体扮演。无长期凭证——使用临时安全令牌。

Trust Relationships

信任关系

Define which principals can assume a role. Configured via the role's trust policy.
定义哪些主体可以扮演某个角色。通过角色的信任策略进行配置。

Common Patterns

常见模式

Create a Service Role for Lambda

为Lambda创建服务角色

AWS CLI:
bash
undefined
AWS CLI:
bash
undefined

Create the trust policy

Create the trust policy

cat > trust-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF
cat > trust-policy.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } EOF

Create the role

Create the role

aws iam create-role
--role-name MyLambdaRole
--assume-role-policy-document file://trust-policy.json
aws iam create-role
--role-name MyLambdaRole
--assume-role-policy-document file://trust-policy.json

Attach a managed policy

Attach a managed policy

aws iam attach-role-policy
--role-name MyLambdaRole
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

**boto3:**

```python
import boto3
import json

iam = boto3.client('iam')

trust_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "lambda.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }
    ]
}
aws iam attach-role-policy
--role-name MyLambdaRole
--policy-arn arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole

**boto3:**

```python
import boto3
import json

iam = boto3.client('iam')

trust_policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"Service": "lambda.amazonaws.com"},
            "Action": "sts:AssumeRole"
        }
    ]
}

Create role

Create role

iam.create_role( RoleName='MyLambdaRole', AssumeRolePolicyDocument=json.dumps(trust_policy) )
iam.create_role( RoleName='MyLambdaRole', AssumeRolePolicyDocument=json.dumps(trust_policy) )

Attach managed policy

Attach managed policy

iam.attach_role_policy( RoleName='MyLambdaRole', PolicyArn='arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' )
undefined
iam.attach_role_policy( RoleName='MyLambdaRole', PolicyArn='arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole' )
undefined

Create Custom Policy with Least Privilege

创建遵循最小权限原则的自定义策略

bash
cat > policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
    }
  ]
}
EOF

aws iam create-policy \
  --policy-name MyDynamoDBPolicy \
  --policy-document file://policy.json
bash
cat > policy.json << 'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:Query"
      ],
      "Resource": "arn:aws:dynamodb:us-east-1:123456789012:table/MyTable"
    }
  ]
}
EOF

aws iam create-policy \
  --policy-name MyDynamoDBPolicy \
  --policy-document file://policy.json

Cross-Account Role Assumption

跨账户角色扮演

bash
undefined
bash
undefined

In Account B (trusted account), create role with trust for Account A

In Account B (trusted account), create role with trust for Account A

cat > cross-account-trust.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111111111111:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "unique-external-id" } } } ] } EOF
cat > cross-account-trust.json << 'EOF' { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111111111111:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "unique-external-id" } } } ] } EOF

From Account A, assume the role

From Account A, assume the role

aws sts assume-role
--role-arn arn:aws:iam::222222222222:role/CrossAccountRole
--role-session-name MySession
--external-id unique-external-id
undefined
aws sts assume-role
--role-arn arn:aws:iam::222222222222:role/CrossAccountRole
--role-session-name MySession
--external-id unique-external-id
undefined

CLI Reference

CLI参考

Essential Commands

核心命令

CommandDescription
aws iam create-role
Create a new IAM role
aws iam create-policy
Create a customer managed policy
aws iam attach-role-policy
Attach a managed policy to a role
aws iam put-role-policy
Add an inline policy to a role
aws iam get-role
Get role details
aws iam list-roles
List all roles
aws iam simulate-principal-policy
Test policy permissions
aws sts assume-role
Assume a role and get temporary credentials
aws sts get-caller-identity
Get current identity
命令描述
aws iam create-role
创建新的IAM角色
aws iam create-policy
创建客户托管策略
aws iam attach-role-policy
为角色附加托管策略
aws iam put-role-policy
为角色添加内联策略
aws iam get-role
获取角色详情
aws iam list-roles
列出所有角色
aws iam simulate-principal-policy
测试策略权限
aws sts assume-role
扮演角色并获取临时凭证
aws sts get-caller-identity
获取当前身份

Useful Flags

实用参数

  • --query
    : Filter output with JMESPath
  • --output table
    : Human-readable output
  • --no-cli-pager
    : Disable pager for scripting
  • --query
    : 使用JMESPath过滤输出
  • --output table
    : 生成人类可读的表格输出
  • --no-cli-pager
    : 禁用分页功能以适配脚本

Best Practices

最佳实践

Security

安全

  • Never use root account for daily tasks
  • Enable MFA for all human users
  • Use roles instead of long-term access keys
  • Apply least privilege — grant only required permissions
  • Use conditions to restrict access by IP, time, or MFA
  • Rotate credentials regularly
  • Use permission boundaries for delegated administration
  • 切勿使用根账户执行日常任务
  • 为所有人类用户启用MFA
  • 使用角色而非长期访问密钥
  • 遵循最小权限原则——仅授予所需的权限
  • 使用条件通过IP、时间或MFA限制访问
  • 定期轮换凭证
  • 使用权限边界进行委托管理

Policy Design

策略设计

  • Start with AWS managed policies, customize as needed
  • Use policy variables (
    ${aws:username}
    ) for dynamic policies
  • Prefer explicit denies for sensitive actions
  • Group related permissions logically
  • 从AWS托管策略开始,按需自定义
  • 使用策略变量(
    ${aws:username}
    )创建动态策略
  • 对敏感操作优先使用显式拒绝
  • 按逻辑分组相关权限

Monitoring

监控

  • Enable CloudTrail for API auditing
  • Use IAM Access Analyzer to identify overly permissive policies
  • Review credential reports regularly
  • Set up alerts for root account usage
  • 启用CloudTrail进行API审计
  • 使用IAM Access Analyzer识别权限过宽的策略
  • 定期查看凭证报告
  • 为根账户使用设置告警

Troubleshooting

故障排查

Access Denied Errors

访问被拒绝错误

Symptom: 
AccessDeniedException
or 
UnauthorizedAccess
Debug steps:
  1. Verify identity: 
    aws sts get-caller-identity
  2. Check attached policies: 
    aws iam list-attached-role-policies --role-name MyRole
  3. Simulate the action:
    bash
    aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:role/MyRole \
  --action-names dynamodb:GetItem \
  --resource-arns arn:aws:dynamodb:us-east-1:123456789012:table/MyTable
  4. Check for explicit denies in SCPs or permission boundaries
  5. Verify resource-based policies allow the principal
症状: 
AccessDeniedException
UnauthorizedAccess
调试步骤:
  1. 验证身份:
    aws sts get-caller-identity
  2. 检查附加的策略:
    aws iam list-attached-role-policies --role-name MyRole
  3. 模拟操作:
    bash
    aws iam simulate-principal-policy \
  --policy-source-arn arn:aws:iam::123456789012:role/MyRole \
  --action-names dynamodb:GetItem \
  --resource-arns arn:aws:dynamodb:us-east-1:123456789012:table/MyTable
  4. 检查SCP或权限边界中的显式拒绝
  5. 验证基于资源的策略是否允许该主体访问

Role Cannot Be Assumed

角色无法被扮演

Symptom: 
AccessDenied
when calling 
AssumeRole
Causes:
  • Trust policy doesn't include the calling principal
  • Missing 
    sts:AssumeRole
    permission on the caller
  • ExternalId mismatch (for cross-account roles)
  • Session duration exceeds maximum
Fix: Review and update the role's trust relationship.
症状: 调用
AssumeRole
时出现
AccessDenied
原因:
  • 信任策略未包含调用主体
  • 调用者缺少
    sts:AssumeRole
    权限
  • ExternalId不匹配(针对跨账户角色)
  • 会话时长超过最大值
解决方法: 查看并更新角色的信任关系。

Policy Size Limits

策略大小限制

  • Managed policy: 6,144 characters
  • Inline policy: 2,048 characters (user), 10,240 characters (role/group)
  • Trust policy: 2,048 characters
Solution: Use multiple policies, reference resources by prefix/wildcard, or use tags-based access control.
  • 托管策略:6,144字符
  • 内联策略:用户为2,048字符,角色/用户组为10,240字符
  • 信任策略:2,048字符
解决方案: 使用多个策略,通过前缀/通配符引用资源,或使用基于标签的访问控制。

References

参考资料