Introduction: What is AWS IAM and Why It Matters
AWS Identity and Access Management (IAM) is a core service that enables you to securely control access to AWS resources. IAM allows you to manage permissions that determine which AWS resources users can access and what actions they can perform on those resources.
Why IAM Matters:
- Security: Implement the principle of least privilege
- Access Control: Fine-grained permissions for users and services
- Centralized Management: Control access across all AWS services
- Compliance: Meet regulatory requirements through access auditing
- Cost Control: Restrict who can provision expensive resources
Core IAM Concepts
IAM Identities
| Identity Type | Description | Best Use Cases |
|---|---|---|
| Users | Individual people or services requiring AWS access | Developers, admins, or service accounts |
| Groups | Collections of IAM users | Team-based access management |
| Roles | Set of permissions that can be assumed | Cross-account access, EC2 instance profiles, federated users |
IAM Policies
| Policy Type | Description | Example Use Case |
|---|---|---|
| Identity-based | Attached to IAM identities (users, groups, roles) | Give a developer permission to manage EC2 instances |
| Resource-based | Attached to resources (S3 buckets, SQS queues) | Allow specific IAM role to access an S3 bucket |
| Permission boundaries | Set maximum permissions an identity can have | Limit what developers can do even with self-service IAM |
| Service control policies (SCPs) | Applied to AWS Organizations | Restrict actions across all accounts in an organization |
| Session policies | Passed when assuming a role | Narrow permissions for specific use cases |
IAM Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
| Element | Description | Required |
|---|---|---|
| Version | Policy language version (always “2012-10-17”) | Yes |
| Statement | Array of individual permission statements | Yes |
| Effect | “Allow” or “Deny” the specified actions | Yes |
| Action | List of actions allowed/denied | Yes (or NotAction) |
| Resource | Resources the statement applies to | Yes (or NotResource) |
| Condition | Conditions for when the policy applies | No |
| Principal | Entity that gets the permission (in resource policies) | Only in resource policies |
| NotAction | All actions except those specified | No (alternative to Action) |
| NotResource | All resources except those specified | No (alternative to Resource) |
| NotPrincipal | All principals except those specified | No (alternative to Principal) |
AWS IAM Best Practices
Security Best Practices
Root User Protection
- Use only for initial setup and rare root-only tasks
- Enable MFA for root user
- Don’t create access keys for root user
- Store root user credentials securely
User Management
- Enforce strong password policies
- Rotate credentials regularly
- Enable MFA for all users
- Remove inactive users
Permission Management
- Follow principle of least privilege
- Use groups to assign permissions
- Use roles for temporary access
- Regularly review and remove unused permissions
Auditing and Monitoring
- Enable CloudTrail for all API activity
- Use IAM Access Analyzer to identify unintended access
- Set up alerts for suspicious activity
- Review credential reports regularly
AWS Access Keys Management
| Best Practice | Implementation |
|---|---|
| Minimize use | Use IAM roles and temporary credentials instead |
| Never share | Each user should have their own access keys |
| Secure storage | Never commit to code repositories or hardcode |
| Regular rotation | Every 90 days or immediately if compromised |
| Monitoring | Check for unused or exposed access keys |
Step-by-Step Processes
Creating an IAM User
- Sign in to the AWS Management Console
- Navigate to the IAM service
- In the navigation pane, choose “Users”
- Choose “Add user”
- Enter a user name
- Select access type:
- AWS Management Console access (password)
- Programmatic access (access keys)
- Set a password or generate one automatically
- Optionally, require password reset on next sign-in
- Add user to groups or copy permissions
- Add tags for organizational purposes
- Review the user details and permissions
- Create user and securely share credentials
Creating an IAM Group
- Sign in to the AWS Management Console
- Navigate to the IAM service
- In the navigation pane, choose “Groups”
- Choose “Create New Group”
- Enter a group name
- Attach policies to the group
- Select AWS managed policies or customer managed policies
- Review the group details and permissions
- Create group
- Add users to the group as needed
Creating an IAM Role
- Sign in to the AWS Management Console
- Navigate to the IAM service
- In the navigation pane, choose “Roles”
- Choose “Create role”
- Select the trusted entity type:
- AWS service (e.g., EC2, Lambda)
- Another AWS account
- Web identity (e.g., Cognito, Google, Facebook)
- SAML 2.0 federation
- Attach permissions policies
- Add tags for organizational purposes
- Review the role name and details
- Create role
Implementing Cross-Account Access
In the account that contains the resources (Account A):
- Create an IAM role
- For the trusted entity, select “Another AWS account”
- Enter the account ID of Account B
- Optionally require MFA
- Attach the necessary permissions
- Note the role ARN
In the account that needs access to the resources (Account B):
- Grant permissions to specific users to assume the role
- Create a policy with the following content:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::ACCOUNT-A-ID:role/ROLE-NAME" }} - Attach this policy to users or groups
Users in Account B can now assume the role:
- Via the console: Use “Switch Role” in the account menu
- Via AWS CLI: Use the
assume-rolecommand - Via SDK: Use STS AssumeRole API
Common Challenges and Solutions
Identity Federation
| Challenge | Solution |
|---|---|
| Managing multiple identities | Implement federation with corporate directory |
| Supporting multiple identity providers | Use AWS SSO or custom identity broker |
| Mapping external groups to IAM permissions | Create IAM roles for different access levels |
SAML 2.0 Federation Setup:
- Configure your identity provider (IdP) to work with AWS
- Create SAML provider in IAM
- Create IAM roles with trust relationships to the SAML provider
- Configure the IdP with SAML assertions for the IAM roles
- Configure the IdP to relay SAML assertions to AWS sign-in endpoint
Permission Management at Scale
| Challenge | Solution |
|---|---|
| Too many custom policies | Use AWS managed policies and consolidate custom policies |
| Inconsistent permissions across accounts | Implement AWS Organizations with SCPs |
| Difficult permission auditing | Use IAM Access Analyzer and Access Advisor |
| Team-based access management | Implement attribute-based access control (ABAC) |
Temporary Credential Management
| Challenge | Solution |
|---|---|
| Short-lived credentials for applications | Use IAM roles with instance profiles |
| Secure API access from mobile apps | Use Amazon Cognito identity pools |
| Service-to-service authentication | Use IAM roles for AWS services |
IAM Policy Examples by Use Case
Basic S3 Bucket Access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}
]
}
EC2 Full Access with Tagging Restriction
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances",
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringNotEquals": {
"aws:RequestTag/Environment": [
"Development",
"Staging",
"Production"
]
}
}
}
]
}
Dynamic Resource Access Based on Tags
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Department": "${aws:PrincipalTag/Department}"
}
}
}
]
}
Multi-Factor Authentication Required
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
IAM CLI Quick Reference
User Management
# Create user
aws iam create-user --user-name john.doe
# Add user to group
aws iam add-user-to-group --user-name john.doe --group-name Developers
# Create access key
aws iam create-access-key --user-name john.doe
# Change password
aws iam update-login-profile --user-name john.doe --password newPassword123 --password-reset-required
# Delete user
aws iam delete-user --user-name john.doe
Group Management
# Create group
aws iam create-group --group-name Developers
# Attach policy to group
aws iam attach-group-policy --group-name Developers --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
# List users in group
aws iam get-group --group-name Developers
# Remove policy from group
aws iam detach-group-policy --group-name Developers --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
# Delete group
aws iam delete-group --group-name Developers
Role Management
# Create role (trust policy in a file)
aws iam create-role --role-name S3ReadOnly --assume-role-policy-document file://trust-policy.json
# Attach policy to role
aws iam attach-role-policy --role-name S3ReadOnly --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
# List attached policies for role
aws iam list-attached-role-policies --role-name S3ReadOnly
# Assume role
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/S3ReadOnly --role-session-name my-session
# Delete role
aws iam delete-role --role-name S3ReadOnly
Policy Management
# Create policy
aws iam create-policy --policy-name CustomS3Policy --policy-document file://custom-s3-policy.json
# Get policy
aws iam get-policy --policy-arn arn:aws:iam::123456789012:policy/CustomS3Policy
# Get policy version (details)
aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/CustomS3Policy --version-id v1
# List policies
aws iam list-policies --scope Local
# Delete policy
aws iam delete-policy --policy-arn arn:aws:iam::123456789012:policy/CustomS3Policy
Security Tools
# Generate credential report
aws iam generate-credential-report
# Get credential report
aws iam get-credential-report
# List access keys for user
aws iam list-access-keys --user-name john.doe
# Get access key last used info
aws iam get-access-key-last-used --access-key-id AKIAIOSFODNN7EXAMPLE
# Simulate policy evaluation
aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/john.doe --action-names s3:PutObject
Advanced IAM Features
Permission Boundaries
Permission boundaries are used to set the maximum permissions that an identity-based policy can grant to an IAM entity.
Example Permission Boundary:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"cloudwatch:*",
"ec2:Describe*"
],
"Resource": "*"
}
]
}
Service Control Policies (SCPs)
SCPs are a type of organization policy that you can use to manage permissions across your organization in AWS Organizations.
Example SCP to Prevent Leaving AWS Organizations:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"organizations:LeaveOrganization"
],
"Resource": "*"
}
]
}
Attribute-Based Access Control (ABAC)
ABAC is an authorization strategy that defines permissions based on attributes (tags).
Implementation Steps:
- Tag IAM principals (users/roles) with attributes (e.g., Department=Finance)
- Tag AWS resources with the same attributes
- Create policies that allow access when principal tags match resource tags
- Attach these policies to roles or users
IAM Access Analyzer
IAM Access Analyzer helps identify resources shared with external entities.
Key Features:
- Identifies resources accessible from outside your account
- Validates policies against policy grammar and best practices
- Generates policies based on access activity
Resources for Further Learning
Official AWS Resources
- IAM Documentation
- IAM Best Practices
- IAM Tutorials
- AWS Identity and Access Management Workshop
- AWS re:Invent IAM sessions
AWS IAM Tools
- IAM Policy Simulator
- AWS Policy Generator
- IAM Access Analyzer
- CloudTrail (for auditing IAM usage)
- AWS CloudFormation (for IAM as code)
Certification Resources
- AWS Certified Security – Specialty
- AWS Certified Solutions Architect
- A Cloud Guru IAM courses
- Whizlabs AWS Security Practice Tests
Community Resources
- AWS IAM GitHub repository
- Open Policy Agent (for policy as code)
- Cloud Security Alliance (best practices)
- r/aws subreddit (community discussions)
Remember that IAM features and best practices evolve over time. Always refer to the official AWS IAM documentation for the most up-to-date information.