1.1 IAM Fundamentals — Users, Groups, Roles, and Policies
Key Takeaways
- IAM is a global service — users, groups, roles, and policies are not Region-specific.
- Follow the principle of least privilege: grant only the permissions needed to perform a task.
- Use IAM roles (not access keys) for EC2 instances, Lambda functions, and cross-account access.
- IAM policies are JSON documents with Effect, Action, Resource, and optional Condition elements.
- The root account should be secured with MFA and never used for day-to-day operations.
IAM Fundamentals — Users, Groups, Roles, and Policies
Quick Answer: IAM is AWS's identity and access management service. It controls WHO can do WHAT on WHICH resources. Use users for human identities, groups to organize users, roles for temporary credentials (EC2, Lambda, cross-account), and policies to define permissions. Always follow the principle of least privilege and never use root for daily operations.
IAM Overview
AWS Identity and Access Management (IAM) is a global service that controls authentication (who are you?) and authorization (what can you do?) for AWS resources. IAM is free — you pay only for the resources your users access.
Key Characteristics
- Global — IAM is not Region-specific; users/roles work across all Regions
- Free — No charge for IAM itself
- Eventually consistent — Changes propagate globally but may take seconds
- Integrated with all AWS services — Every AWS API call checks IAM permissions
IAM Users
An IAM user represents a person or application that interacts with AWS.
| Property | Description |
|---|---|
| Username | Unique identifier within the AWS account |
| Console password | For AWS Management Console access |
| Access keys | For programmatic access (CLI/SDK) — consists of Access Key ID + Secret Access Key |
| MFA | Optional but strongly recommended multi-factor authentication |
| Permissions | Defined by attached policies (inline or managed) |
Best Practices:
- Create individual users for each person — never share credentials
- Enable MFA for all users, especially those with console access
- Rotate access keys regularly
- Delete unused users and credentials promptly
IAM Groups
An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users at once, making it easier to manage permissions.
Key rules:
- A user can belong to multiple groups (up to 10)
- Groups cannot be nested (no groups within groups)
- Groups cannot be used as principals in resource-based policies
- There is no default group — you must create them
Example structure:
| Group | Permissions | Members |
|---|---|---|
| Admins | Full AWS access | CTO, Lead DevOps |
| Developers | EC2, S3, Lambda, DynamoDB | Dev team |
| ReadOnly | Read-only access to all services | Auditors, managers |
| DBAdmins | RDS, DynamoDB, Redshift full access | Database team |
IAM Roles
An IAM role is an identity with specific permissions that can be assumed by users, applications, or AWS services. Roles provide temporary credentials via AWS Security Token Service (STS).
When to Use Roles (Critical for Exam)
| Scenario | Use a Role |
|---|---|
| EC2 instance needs to access S3 | EC2 instance profile (role attached to instance) |
| Lambda function needs to access DynamoDB | Lambda execution role |
| Cross-account access | Role in target account, assumed from source account |
| Federation (corporate users) | Federated role via SAML or OIDC |
| Temporary elevated access | Role assumption with MFA requirement |
How Role Assumption Works
- A principal (user, service, or application) calls
sts:AssumeRole - STS verifies the role's trust policy allows the principal
- STS returns temporary credentials (access key, secret key, session token)
- Credentials expire after a configurable duration (15 min to 12 hours)
- The principal uses temporary credentials to make API calls
On the Exam: If a question mentions an EC2 instance needing to access another AWS service (e.g., S3, DynamoDB), the answer is almost always "attach an IAM role to the EC2 instance." NEVER store access keys on EC2 instances.
IAM Policies
IAM policies are JSON documents that define permissions. They specify what actions are allowed or denied on which resources.
Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3Read",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}
Policy Elements
| Element | Description | Required |
|---|---|---|
| Version | Policy language version (always "2012-10-17") | Yes |
| Statement | Array of permission statements | Yes |
| Sid | Statement identifier (optional label) | No |
| Effect | "Allow" or "Deny" | Yes |
| Action | AWS API actions (e.g., "s3:GetObject") | Yes |
| Resource | AWS resource ARNs the policy applies to | Yes |
| Condition | Optional conditions (IP address, MFA, time, tags) | No |
Types of Policies
| Type | Description | Attached To |
|---|---|---|
| AWS Managed | Pre-built by AWS (e.g., ReadOnlyAccess) | Users, groups, roles |
| Customer Managed | Created by you for custom needs | Users, groups, roles |
| Inline | Embedded directly in a single user, group, or role | One specific entity |
| Resource-based | Attached to a resource (e.g., S3 bucket policy) | AWS resources |
| Service Control Policies (SCPs) | Organization-level guardrails | AWS Organizations OUs |
| Permission Boundaries | Maximum permissions an entity can have | Users, roles |
Policy Evaluation Logic
When a principal makes an API request, IAM evaluates policies in this order:
- Explicit Deny — If ANY policy says Deny, the request is denied (Deny always wins)
- Organization SCPs — Must allow the action (if applicable)
- Permission Boundaries — Must allow the action (if applicable)
- Session Policies — Must allow the action (if applicable)
- Identity-based Policies — At least one must allow the action
- Resource-based Policies — Can grant access independently
Key Rule: An explicit Deny in ANY policy overrides any Allow. If no policy explicitly allows an action, it is implicitly denied.
The Root Account
The root account is the email address used to create the AWS account. It has unrestricted access to everything.
Root account best practices:
- Enable MFA immediately
- Do NOT create access keys for root
- Do NOT use root for daily tasks
- Use root only for tasks that require it (e.g., changing account settings, closing the account, enabling certain features)
IAM Best Practices Summary
| Best Practice | Why |
|---|---|
| Enable MFA for all users | Protects against compromised passwords |
| Use roles, not access keys | Temporary credentials are more secure |
| Apply least privilege | Minimize blast radius of compromised credentials |
| Use groups to assign permissions | Easier to manage than per-user policies |
| Rotate credentials regularly | Limits exposure window |
| Use IAM Access Analyzer | Find unintended external access |
| Monitor with CloudTrail | Audit all API calls |
| Use strong password policy | Enforce complexity and rotation requirements |
An EC2 instance needs to read objects from an S3 bucket. What is the MOST secure way to grant this access?
An IAM policy has an explicit Allow for s3:PutObject, but an SCP at the organization level denies s3:PutObject. What happens when a user tries to upload to S3?
Which IAM entity provides TEMPORARY security credentials?
Which THREE are IAM best practices? (Select THREE)
Select all that apply