IAM: Identity & Access

💤0
Lv 10 XP
← 🟧 Amazon Web Services · Core Services

IAM: Identity & Access

Intermediate ⭐ 80 XP ⏱ 20 min #aws#iam#security

Control access with IAM users, roles, groups, and least-privilege policies.

📖Theory

IAM controls who can do what in AWS. Its building blocks:

  • Users — long-term identities for people/apps (credentials, access keys)
  • Groups — collections of users sharing policies
  • Roles — temporary credentials that trusted entities assume (no long-term keys)
  • Policies — JSON documents granting/denying actions on resources

The most important secure pattern: use roles, not access keys. An EC2 instance, Lambda, or another account assumes a role to get short-lived, auto-rotating credentials. Apply least privilege and remember an explicit Deny always wins.

🌍Real-World Example
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "arn:aws:s3:::my-bucket/*"
  }]
}
Patterns:
  EC2 needs S3 access   → attach an IAM role to the instance (no keys)
  CI deploys to AWS     → assume a role via OIDC (no static secret)
  Team of developers    → group with a shared least-privilege policy
✍️Hands-On Exercise
  1. Explain the difference between an IAM user and an IAM role.
  2. Write (in words) a least-privilege policy for read-only access to one S3 bucket.
  3. Describe how an EC2 instance should access S3 without storing keys.
  4. What happens when an Allow and an explicit Deny both match a request?
🧾Cheat Sheet
ElementPurpose
UserLong-term identity
GroupShared policies for users
RoleTemporary assumed credentials
PolicyJSON allow/deny rules
Least privilegeMinimum needed permissions
Explicit DenyAlways overrides Allow
Root accountLock down, MFA, never use daily
💬Common Interview Questions
What's the difference between an IAM user and a role?

A user has permanent long-term credentials. A role has no long-term credentials — it grants temporary permissions that trusted entities assume, which is more secure for services and cross-account access.

How should an EC2 instance access other AWS services?

By assuming an IAM role attached to the instance, which provides automatically rotated temporary credentials — never by embedding access keys.

In IAM policy evaluation, what wins: Allow or Deny?

An explicit Deny always overrides any Allow. Access requires an Allow and no matching Deny.

📚Official Documentation

📝 My notes on this topic

Auto-saves as you type