Workforce identities on AWS
In addition to having an all-powerful user, Acme needs other IAM user accounts for all other employees that need to use AWS. As the company grows, we must continue creating user accounts for new users with the minimum amount of effort. And, of course, we need to remove access when the user leaves or changes jobs with the company.
As we create user accounts and associated credentials, they are immediately available for authentication. Those users, however, will not have any default authorization associated with their accounts. All they can do is log in and set up their second-factor authentication.
IAM policies, a JSON formatted document of them that explicitly lists the permissions, must be created and assigned to a user. Only then will the user be allowed to perform the actions described in the policies assigned to them.
IAM policies do not need to be assigned directly to users. Instead, they may also be assigned to an IAM role. An IAM role is...
