ECS Identity and Access Management (IAM) enables users to have fine-grained access to the ECS S3 resources securely. This functionality ensures that each access request to an ECS resource is identified, authenticated, and authorized. ECS IAM allows users to add users, roles, and groups. Users can also grant and restrict the access by adding policies to the ECS IAM entities.
Note: ECS IAM functionality is only supported for the S3 protocol.
Table 19. IAM best practice highlights
- Create an IAM user for admin and give administrative permissions. Create individual users for other who must access the ECS account. Provide each IAM user a separate set of credentials and grant different permissions. For IAM users, admin can change or revoke permissions anytime.
- Access keys provide systematic access to ECS. Do not share the credentials between users. Applications should preferably use temporary credentials using an IAM role for access to ECS.
- Change access keys regularly to avoid your credentials being misused, when they have been compromised. And delete IAM user credentials that are no longer required.
- When creating IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions that are required to perform a task.
- Do not define permissions for individual IAM users who perform similar job functions. Create groups, define the permissions for each group, and assign IAM users to groups.
- Using IAM roles to permit users to access resources.