2.2 AWS Identity and Access Management (IAM)
Key Takeaways
- IAM is a global service (not Region-specific) that controls who can access what in your AWS account.
- The root user has unrestricted access and should be secured with MFA and used only for tasks that require it (like changing billing info).
- IAM follows the principle of least privilege — grant only the permissions needed to perform a task, nothing more.
- IAM policies are JSON documents that define Allow or Deny permissions for specific actions on specific resources.
- IAM roles are used for temporary access and are the recommended way to grant permissions to AWS services and applications.
AWS Identity and Access Management (IAM)
Quick Answer: AWS IAM is a free, global service that controls who (authentication) can do what (authorization) in your AWS account. Key components: Users (people), Groups (collections of users), Roles (temporary permissions for services/apps), and Policies (JSON documents defining permissions). Always follow the principle of least privilege.
IAM Overview
AWS Identity and Access Management (IAM) is one of the most important AWS services for the exam. It enables you to securely manage access to AWS services and resources.
Key Facts:
- IAM is free — there is no charge for using IAM
- IAM is global — it is not Region-specific (users, groups, roles, and policies apply across all Regions)
- IAM supports MFA (Multi-Factor Authentication) for additional security
- IAM provides centralized control of your AWS account
The Root User
When you first create an AWS account, you create a root user with the email and password used to sign up. The root user has complete, unrestricted access to everything in the account.
Root User Best Practices
| Do | Don't |
|---|---|
| Enable MFA on the root user immediately | Use the root user for everyday tasks |
| Create an IAM admin user for daily work | Share root user credentials |
| Store root user credentials securely | Create access keys for the root user |
| Use root only for root-specific tasks | Leave MFA disabled on root |
Tasks That REQUIRE the Root User
- Change account settings (name, email, root password)
- Change AWS Support plan
- Close the AWS account
- Restore IAM user permissions (if the only IAM admin is locked out)
- Configure an S3 bucket for MFA delete
- View certain tax invoices
IAM Components
IAM Users
An IAM user represents a person or service that interacts with AWS. Each user has:
- A unique name within the account
- Credentials: password (for console access) and/or access keys (for CLI/API access)
- Permissions: defined by attached policies
Best Practice: Create individual IAM users for each person who needs access. Never share credentials.
IAM Groups
An IAM group is a collection of IAM users. Groups make it easier to manage permissions for multiple users.
| Feature | Detail |
|---|---|
| Groups contain users only | Groups cannot contain other groups |
| A user can belong to multiple groups | No limit on groups per user |
| Groups cannot be used for authentication | Only for organizing permissions |
| No default group | All users must be explicitly added |
Example Groups: Administrators, Developers, Finance, ReadOnlyUsers
IAM Roles
An IAM role is similar to a user but is intended to be assumed by anyone or anything that needs it. Roles provide temporary security credentials.
Common use cases for roles:
| Use Case | Example |
|---|---|
| EC2 instance accessing S3 | Attach a role to the EC2 instance instead of storing access keys |
| Cross-account access | Allow users in Account A to access resources in Account B |
| AWS service to service | Lambda function accessing DynamoDB |
| Federated users | External users (SAML/OIDC) accessing AWS through identity providers |
On the Exam: When a question asks how to grant an AWS service (like EC2 or Lambda) permission to access another service (like S3 or DynamoDB), the answer is almost always an IAM role.
IAM Policies
IAM policies are JSON documents that define permissions. They specify what actions are allowed or denied on which resources.
Policy structure:
- Version — Policy language version (always "2012-10-17")
- Statement — One or more individual permission statements
- Effect — "Allow" or "Deny"
- Action — The API action(s) being permitted or denied (e.g., s3:GetObject)
- Resource — The AWS resource(s) the action applies to (ARN)
- Condition (optional) — Conditions for when the policy applies
Policy Types:
| Type | Description |
|---|---|
| AWS Managed Policies | Pre-built by AWS (e.g., AmazonS3ReadOnlyAccess) — maintained by AWS |
| Customer Managed Policies | Created by you for your specific needs — you maintain them |
| Inline Policies | Embedded directly in a user, group, or role — not reusable |
The Principle of Least Privilege
Least privilege means granting only the minimum permissions necessary for a user, group, or role to perform their required tasks. This is a fundamental security principle in AWS.
Example: If a developer only needs to read objects from a specific S3 bucket, their policy should only allow s3:GetObject on that specific bucket — NOT s3:* on all buckets.
Multi-Factor Authentication (MFA)
MFA adds an extra layer of security by requiring:
- Something you know — Password
- Something you have — MFA device (virtual or hardware)
MFA options in AWS:
| MFA Type | Description |
|---|---|
| Virtual MFA device | App on your phone (Google Authenticator, Authy) |
| Hardware TOTP token | Physical key fob that generates codes |
| FIDO2 security key | Physical USB/NFC key (e.g., YubiKey) |
On the Exam: Always enable MFA on the root account. MFA is a best practice for all IAM users with console access, especially administrators.
IAM Best Practices Summary
- Lock away the root user — Enable MFA, do not use for daily tasks
- Create individual IAM users — One user per person, never share
- Use groups to assign permissions — Easier to manage than individual user policies
- Use roles for AWS services — Never embed access keys in code
- Grant least privilege — Start with minimum permissions, add as needed
- Enable MFA everywhere — Especially for privileged accounts
- Rotate credentials regularly — Change passwords and access keys
- Use IAM Access Analyzer — Identify resources shared with external entities
- Use AWS Organizations — Manage multiple accounts with service control policies
Which IAM component should you use to grant an EC2 instance permission to access an S3 bucket?
What is the principle of least privilege?
Which of the following tasks REQUIRES the AWS account root user?
IAM is a global service. What does this mean?