IAM


Permission specified in cli with access key and secret overrides the IAM role permissions

For any unauthorized encrypt message of the unauthorized access, can be decrypt by decode-authorization-message of STS API

Account Alisa


By default, sign in url is like, account-id.signin.aws.amazon.com/console

By creating the account alias, url become, account-alias.signin.aws.amazon.com/console

IAM Certificate Store


Can be used to import 3rd party SSL/TLS certificate.

Both ACM and IAM Certificate Store can be used to import 3rd party SSL/TLS Certificate.

Trust Policy


With passRole we can ensure, user does not have more permission than it required.

This way, we do not need to store any credentials in the ec2 service

Best Practices