🔒 Identity and Access Management (IAM)

Securely manage user identities and permissions for your BCE Lambda services and resources.

⚡ Jump to Core Concepts

Core IAM Concepts

👤

Users

Representation of an individual, device, or service with defined permissions.

📜

Policies

JSON documents defining permissions that can be attached to users, groups, or roles.

👥

Groups

Collections of users that allow for easier management of common permissions.

🎭

Roles

Temporary security credentials that can be assumed by users or services.

Key Features

🔐

Fine-Grained Access Control

Precisely define permissions using conditions, actions, and resource-level constraints.

🔄

Policy Inheritance

Manage permissions efficiently with group policies and role-based access.

🔒

Least Privilege Enforcement

Automatically review policies to ensure minimum required permissions.

Policy Basics

Policy Structure


{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "lambda:InvokeFunction",
            "Resource": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction"
        }
    ]
}

This policy allows a principal to invoke a specific Lambda function.

Policy Best Practices

  • Start with least privilege: only grant the specific permissions needed
  • Regularly audit: review active policies every 90 days
  • Version control: use tags for policy revisions tracking

Policy Inheritance

📂

User inherits policies from:

  • UserDirect
  • Group1
  • OrganizationalUnit
👥

Group inherits policies from:

  • GroupDirect
  • ParentGroup
  • OU

Best Practices

Security Best Practices

✅ Create Role-Based Access

$ bcl iam create-role MyLambdaRole --policy LambdaExecutionPolicy

Assign roles to services/VMs instead of using long-lived user credentials.

⚠️ Avoid Wildcard Permissions

"Resource": "*" is bad practice

Always specific resources and actions in your policies.

Getting Started with IAM

1

Create User


$ bcl iam create-user DevUser
✔ Created user: arn:aws:iam::123456789012:user/DevUser

You'll receive access keys and a user ARN for integration

2

Attach Policy


$ bcl iam attach-user-policy DevUser LambdaDeveloperPolicy
✔ Attached policy

Policies allow users to perform the actions you specify.

🔄 Related Documentation

🛡️

Security Best Practices
⚖️

Compliance Overview
📚

IAM Tutorial