ECS Identity and Access Management (IAM) enables users to have fine-grained access to the ECS S3 resources securely. This functionality ensures that each access request to an ECS resource is identified, authenticated, and authorized. ECS IAM allows users to add users, roles, and groups. Users can also grant and restrict the access by adding policies to the ECS IAM entities.
Note: ECS IAM functionality is only supported for the S3 protocol.
- Create an IAM user and give the user administrative permissions. Create individual users for others who must access the ECS account. Provide each IAM user a separate set of credentials and grant different permissions. For IAM users, the administrator can change or revoke permissions anytime.
- Access keys provide systematic access to ECS. Do not share the credentials between users. Applications should preferably use temporary credentials using an IAM role for access to ECS.
- Change access keys regularly to avoid misuse of credentials when credentials have been compromised. Delete IAM user credentials that are no longer required.
- When creating IAM policies, follow the standard security advice of granting least privilege or granting only the permissions that are required to perform a task.
- Do not define permissions for individual IAM users who perform similar job functions. Create groups, define the permissions for each group, and assign IAM users to groups.
- Use IAM roles to permit users to access resources.
|