Identity and Access Management (IAM) in AWS
Controlling Who Can Do What, When, and Where in Your AWS Environment
AWS Identity and Access Management (IAM) is the cornerstone of security and access control in AWS. It lets you define, enforce, and audit permissions for users, services, and resources across your cloud infrastructure.
What is IAM?
IAM is a global AWS service that allows you to:
- Create users, groups, and roles
- Define policies to grant or deny permissions
- Enable secure access for humans and machines
- Use MFA, password policies, and temporary credentials
π§ IAM follows the principle of least privilege: only give whatβs necessary and nothing more.
Core Components of IAM
| Component | Description |
|---|---|
| Users | Individual AWS identities (email, developers, admins) |
| Groups | Collections of users sharing the same policies |
| Roles | Identities with temporary credentials assumed by users/services |
| Policies | JSON documents defining allowed/denied actions |
| Trust Policy | Who can assume a role |
| MFA | Multi-Factor Authentication (TOTP hardware/app-based) |
π§ IAM Users
- Created for individual people needing AWS access
- Can be assigned:
- Console login
- Programmatic access (access key/secret key)
- Should never be root user for daily operations
β Example:
aws iam create-user --user-name dev-user
π¨βπ©βπ§βπ¦ IAM Groups
- Logical way to apply the same permissions to multiple users
- Can attach policies to the group instead of each user
- Example groups:
Admins,Developers,Auditors
π€ IAM Roles
Roles are temporary, assumable identities used by:
- EC2 instances
- Lambda functions
- Applications or services in other AWS accounts
- Federated identities (SSO, external IdPs)
β Role Assumption Examples:
- Lambda uses a role to access S3
- EC2 assumes a role to send logs to CloudWatch
- AWS CodePipeline assumes a role to deploy via ECS
π‘οΈ IAM Policies β Granting and Restricting Access
Policies are written in JSON and attached to users, groups, or roles.
β Policy Elements:
| Field | Purpose |
|---|---|
Effect | Allow or Deny |
Action | AWS operation (e.g., s3:PutObject) |
Resource | ARN of target resource |
Condition | Optional logic (e.g., based on IP, tag, time) |
β Example Policy: Read-Only Access to S3
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": "*"
}]
}
Managed vs Inline Policies
| Type | Description |
|---|---|
| AWS-Managed | Predefined by AWS (e.g., AmazonS3FullAccess) |
| Customer-Managed | You create and manage policies |
| Inline | Embedded directly in a user/group/role (used sparingly) |
π― Best Practice: Use customer-managed for flexibility; avoid inline unless necessary.
Trust Policies β Defining Who Can Assume Roles
Trust policies allow another AWS service, user, or account to assume the role.
β Example: Allow EC2 to Assume Role
{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com" },
"Action": "sts:AssumeRole"
}
Multi-Factor Authentication (MFA)
- Adds an extra layer of security for IAM users
- Can use Google Authenticator, Authy, or hardware tokens
- Recommended for:
- Root user
- IAM admins
- Billing access
β Enable MFA via Console:
IAM β Users β Security Credentials β MFA β Assign MFA Device
βοΈ IAM Access Analyzer
- Identifies public or cross-account access to resources
- Useful for audits and security reviews
- Integrated into AWS Console and CLI
β Sample Findings:
- S3 bucket open to public
- KMS key shared with external account
- IAM role trusted by multiple services
IAM Policy Simulator
- Test how a policy behaves without deploying it
- Check if a user can perform an action
- Avoids security risks from misconfigured policies
π§ͺ Try
iam:SimulatePrincipalPolicyvia CLI or Console.
+----------------+
| IAM User |
+--------+-------+
|
+-------v--------+
| Group |
+-------+--------+
|
+-------v--------+ +---------------+
| Attached |----->| IAM Policy |
| Permissions | +---------------+
|
+-------v--------+
| IAM Role |
+-------+--------+
|
+-------v--------+
| EC2, Lambda |
+----------------+
IAM Best Practices
| Practice | Reason |
|---|---|
| π Enable MFA for all users | Prevent compromised logins |
| π§Ύ Use IAM roles, not access keys | Temporary credentials are safer |
| π§Ό Rotate credentials regularly | Reduces breach exposure |
| β οΈ Never use root for daily ops | Risk of full account compromise |
| π§ Apply least privilege principle | Minimize potential damage |
π¦ Tag IAM resources (Owner, Env) | Easier auditing and billing |
| π Use IAM Access Analyzer | Detect unintended access |
| β Review permissions quarterly | Remove unused permissions |
π Real-World Use Cases
| Scenario | IAM Solution |
|---|---|
| Web app writing to S3 bucket | EC2 role with s3:PutObject |
| CI/CD pipeline deploying ECS | CodeBuild role with ECS permissions |
| Federated login via SSO | IAM Role + SAML Identity Provider |
| Cross-account resource sharing | IAM Role with trust to another account |
| Audit log access control | IAM group with cloudtrail:DescribeTrails |
Summary
| Element | Description |
|---|---|
| IAM Users | Individual logins (human users) |
| IAM Roles | Temporary identities (services, cross-account) |
| IAM Groups | Apply common permissions to multiple users |
| Policies | JSON permission rules |
| MFA | Extra layer of login security |
| Analyzer | Detect overexposure of resources |
| Simulator | Test policy behavior without risk |
π‘ Explore More AWS Tools & Resources
Educational AI Tutor
Get instant AWS-related answers and explanations using AI.
Interview Question Generator
Generate AWS interview questions for practice and preparation.
AWS Practice Quiz
Test your AWS knowledge with timed quizzes and scoring.
AWS Interview Questions
Browse frequently asked AWS interview questions with answers.