AWS Explained
    Security, Identity & Compliance
    🔐Security, Identity & Compliance

    AWS IAM

    Manage user access and encryption keys securely

    IAM is like the security system for your AWS account; it controls who can do what. Think of it as a building with many rooms (AWS services). IAM lets you create badges (users) with specific permissions: some people can enter all rooms, others only specific ones, and some can only look but not touch. You can also create group badges (IAM groups) for teams, and temporary visitor passes (IAM roles) for applications. It's free, and it follows the principle of least privilege: give people only the permissions they absolutely need, nothing more. IAM is the foundation of AWS security.

    IAM manages authentication (who you are) and authorization (what you can do) in AWS.

    Key Capabilities

    Key components: Users (individual identities), Groups (collections of users), Roles (temporary credentials for applications/services), and Policies (JSON documents defining permissions). Policies use effect (Allow/Deny), actions (ec2:StartInstances), and resources (arn:aws:ec2:*:*:instance/*). IAM supports identity federation (SAML, OIDC) for SSO with corporate directories. Key features: MFA for additional security, password policies, access keys for programmatic access, and service control policies (SCPs) in AWS Organizations for account-level restrictions.

    Gotchas & Constraints

    Gotcha #1: IAM is eventually consistent; policy changes can take seconds to propagate. Gotcha #2: Explicit Deny always wins; if one policy denies and another allows, the deny takes precedence. Constraints: IAM is global (not region-specific), maximum 5,000 users per account (use federation for more), and policies have size limits (6,144 bytes for managed policies).

    A company has 200 employees across development, operations, and finance teams. Instead of sharing root account credentials (which is dangerous), they create IAM users for each employee. Developers get policies allowing EC2, RDS, and S3 access in the dev account. Operations get full access to production resources. Finance gets read-only access for cost analysis. They create IAM roles for applications: EC2 instances assume roles to access S3 without embedding access keys in code. For contractors, they use IAM roles with temporary credentials that expire after 12 hours. They enable MFA for all users with admin privileges and set up CloudTrail to log all IAM actions for compliance. When an employee leaves, they delete the IAM user, immediately revoking all access.

    The Result

    granular access control, no shared credentials, and full audit trail of who did what.

    Official AWS Documentation