Skip to content

AWS IAM (Identity and Access Management)

Introduction

AWS IAM enables you to manage access to AWS services and resources securely. You can create and manage AWS users, groups, and roles, and use permissions to allow and deny their access to AWS resources.

Key Features

  • Free service - No additional charges
  • Centralized control - Manage all access from one place
  • Granular permissions - Fine-grained access control
  • Identity federation - Connect to external identity providers
  • Multi-factor authentication - Enhanced security
  • Temporary credentials - Via roles and STS

When to Use

IAM is Essential For

  • User management - Create accounts for team members
  • Service access - Grant EC2 instances access to S3
  • Cross-account access - Allow access from other AWS accounts
  • Federation - SAML/OIDC integration with corporate identity
  • API access - Programmatic access with access keys
  • Compliance - Audit and control access

Core Components

Users

  • Individual identity with long-term credentials
  • Access keys for programmatic access
  • Password for console access
  • Should be used for humans (not applications)

Groups

  • Collection of users
  • Apply policies to multiple users at once
  • Users can belong to multiple groups
  • Cannot be nested (no groups within groups)

Roles

  • Identity with temporary credentials
  • Assumed by users, services, or accounts
  • No long-term credentials
  • Preferred for applications and services

Policies

  • JSON documents defining permissions
  • Attached to users, groups, or roles
  • Types: AWS managed, customer managed, inline

Policy Structure

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowS3Read",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-bucket",
        "arn:aws:s3:::my-bucket/*"
      ],
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "192.0.2.0/24"
        }
      }
    }
  ]
}

Policy Elements

Element Description
Version Policy language version (use "2012-10-17")
Statement Array of permission statements
Sid Optional statement identifier
Effect Allow or Deny
Action API actions (s3:GetObject)
Resource ARN of affected resources
Condition Optional conditions for when policy applies

What to Be Careful About

Security

  • Root account - Never use for daily tasks; secure with MFA
  • Access keys - Rotate regularly; don't embed in code
  • Overly permissive policies - Avoid * in actions/resources
  • Inline policies - Prefer managed policies for reusability
  • Password policy - Enforce strong passwords
  • MFA - Enable for all human users

Common Mistakes

  • Using root account credentials
  • Sharing access keys
  • Not rotating credentials
  • Granting *:* permissions
  • Not using roles for applications
  • Forgetting to remove access for departing employees

Policy Evaluation

  1. Explicit Deny wins
  2. SCPs (Organizations) evaluated
  3. Resource-based policies evaluated
  4. Permission boundaries evaluated
  5. Session policies evaluated
  6. Identity-based policies evaluated
  7. Default implicit deny

Limits

  • 5,000 users per account
  • 300 groups per account
  • 10 groups per user
  • 1,000 roles per account
  • 10 managed policies per user/group/role

Key Concepts

Trust Policies vs Permission Policies

Type Purpose Example
Trust Policy Who can assume the role EC2 can assume this role
Permission Policy What actions are allowed Can read from S3

Temporary Credentials (STS)

  • AssumeRole - Get credentials for a role
  • AssumeRoleWithSAML - Federate with SAML provider
  • AssumeRoleWithWebIdentity - Federate with OIDC provider
  • GetSessionToken - Temporary creds for MFA users

Permission Boundaries

  • Set maximum permissions for a user/role
  • Even if policy allows, boundary must also allow
  • Useful for delegating admin responsibilities

Service-Linked Roles

  • Pre-defined by AWS services
  • Cannot modify permissions
  • Auto-created when you use certain services

IAM Best Practices

  1. Lock away root user - Use MFA, don't use for daily tasks
  2. Create individual users - Don't share credentials
  3. Use groups - Manage permissions for multiple users
  4. Grant least privilege - Minimum permissions needed
  5. Use roles for applications - Not access keys
  6. Enable MFA - For privileged users
  7. Rotate credentials - Regularly change passwords and keys
  8. Use policy conditions - Restrict by IP, time, MFA, etc.
  9. Monitor activity - Use CloudTrail and Access Analyzer

Common Interview Questions

  1. What's the difference between a user and a role?
  2. User: Identity with long-term credentials (access keys, password)

  3. Role: Identity with temporary credentials, assumed by users/services

  4. How does policy evaluation work?

  5. Explicit Deny always wins
  6. Then check for explicit Allow
  7. Default is implicit Deny

  8. All applicable policies evaluated together

  9. What are permission boundaries?

  10. Maximum permissions an entity can have
  11. Effective permissions = identity policy ∩ permission boundary

  12. Used to delegate IAM administration safely

  13. How do you grant cross-account access?

  14. Create role in target account with trust policy
  15. Trust policy allows source account to assume role
  16. Source account user assumes the role

  17. Alternative: Resource-based policy (S3, KMS, etc.)

  18. What's the difference between AWS managed and customer managed policies?

  19. AWS managed: Created by AWS, auto-updated, read-only
  20. Customer managed: You create, full control, reusable

IAM Access Analyzer

  • Identifies resources shared externally
  • Analyzes resource-based policies
  • Generates findings for review
  • Validates policies before deployment
  • Generates policies from CloudTrail activity

Common Patterns

IAM Components Overview

IAM Components

Cross-Account Access

IAM Cross-Account Access

Alternatives

AWS Services

Service Use Case
IAM Identity Center SSO for workforce (multiple accounts)
Cognito User pools for applications
STS Temporary credentials
Secrets Manager Store and rotate secrets

External Alternatives

Provider Service
Google Cloud Cloud IAM
Azure Azure Active Directory
Okta Identity management
Auth0 Authentication platform

Policy Examples

S3 Read-Only

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": ["arn:aws:s3:::bucket-name", "arn:aws:s3:::bucket-name/*"]
    }
  ]
}

EC2 Start/Stop Own Instances

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["ec2:StartInstances", "ec2:StopInstances"],
      "Resource": "*",
      "Condition": {
        "StringEquals": {"ec2:ResourceTag/Owner": "${aws:username}"}
      }
    }
  ]
}

Deny Without MFA

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "*",
      "Resource": "*",
      "Condition": {
        "BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
      }
    }
  ]
}