AWS IAM
Identity and Access Management - Control access to AWS services and resources
AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely.
Security First
Always follow the principle of least privilege: Grant only the permissions required to perform a task.
Key Concepts
An IAM user represents a person or application that interacts with AWS. Users have long-term credentials like passwords and access keys.
- Used for human users or service accounts
- Can have console access and/or API access
- Should be assigned to groups for easier management
A collection of IAM users. You can attach policies to groups to manage permissions for multiple users at once.
- Organize users by job function (Developers, Admins)
- Policies attached to groups apply to all members
- Users can belong to multiple groups
An IAM role is similar to a user but is assumed by anyone who needs it. Roles don't have long-term credentials; instead, they provide temporary security credentials.
- Used by AWS services (EC2, Lambda)
- Used for cross-account access
- Provides temporary credentials via STS
JSON documents that define permissions. Policies specify what actions are allowed or denied on what resources.
- Identity-based policies attach to users/groups/roles
- Resource-based policies attach to resources
- Can be AWS managed or customer managed
IAM Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}Policy Elements
| Element | Description |
|---|---|
Version | Policy language version (always use "2012-10-17") |
Statement | Array of individual statements |
Effect | Allow or Deny |
Action | List of actions this statement covers |
Resource | ARN of resources the actions apply to |
Condition | Optional conditions for when the policy applies |
Policy Evaluation Flow
Policy Evaluation
When both Allow and Deny apply, Deny always wins. Explicit Deny > Explicit Allow > Implicit Deny.
Best Practices
Enable MFA for All Users
Especially important for the root account and privileged users.
aws iam enable-mfa-device \
--user-name username \
--serial-number arn:aws:iam::123456789012:mfa/username \
--authentication-code1 123456 \
--authentication-code2 789012Use Roles Instead of Long-Term Credentials
Roles provide temporary credentials that automatically rotate.
Apply Least Privilege
Start with minimal permissions and add more as needed.
Use Groups for Permission Management
Assign policies to groups, then add users to groups.
Audit with CloudTrail
Track all API calls for security analysis.
Password Policy
Set a strong password policy for IAM users:
{
"MinimumPasswordLength": 14,
"RequireSymbols": true,
"RequireNumbers": true,
"RequireUppercaseCharacters": true,
"RequireLowercaseCharacters": true,
"AllowUsersToChangePassword": true,
"MaxPasswordAge": 90,
"PasswordReusePrevention": 24
}Common Use Cases
Cross-Account Access
Allow users from one AWS account to access resources in another:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}Assuming Roles
Use aws sts assume-role to get temporary credentials for the target account.
Service-Linked Roles
Some AWS services require roles to perform actions on your behalf. These are called service-linked roles.
aws iam list-roles --query 'Roles[?starts_with(RoleName, `AWSServiceRoleFor`)]'IAM Access Analyzer
Identify resources shared with external entities:
aws accessanalyzer create-analyzer \
--analyzer-name my-analyzer \
--type ACCOUNTAccess Analyzer helps identify unintended public or cross-account access to your resources.