IAM & Access Management
AWS IAM is the global service for controlling who (authentication) and what (authorization) can access AWS resources. Core components are users, groups, roles, and JSON policies. Following least-privilege principles, enabling MFA on the root account, and using roles instead of long-term access keys for services are the most tested IAM best practices on CLF-C02.
1. IAM Overview
AWS Identity and Access Management (IAM) is a global service (not region-specific) that controls:
- Authentication — Who you are (verifying identity via login or credentials)
- Authorization — What you can do (permissions granted via policies)
IAM is free — no charge for creating users, roles, groups, or policies.
2. IAM Core Components
3. Root Account
Created automatically when you first sign up for AWS. Has complete, unrestricted access to every AWS resource and billing function.
Root account should ONLY be used for:
- Closing the AWS account
- Changing the AWS support plan
- Changing the payment method
- Enabling IAM access to the Billing console
- Restoring IAM administrator access
Root account should NEVER be used for:
- Daily administrative tasks
- Programmatic API or CLI calls
- Application access
Protect root with MFA — this is one of the most commonly tested best practices on CLF-C02.
4. IAM Users
Individual identities for humans or applications needing long-term access. Two credential types:
| Credential | Used For |
|---|---|
| Password | AWS Management Console (web UI) login |
| Access Key ID + Secret Access Key | Programmatic access via CLI, SDK, or API |
Best practices for users:
- Create one IAM user per person — never share credentials
- Never embed access keys in application source code
- Rotate access keys regularly
- Delete or deactivate unused users immediately
5. IAM Groups
Collections of IAM users. Attach a policy to the group — all members automatically inherit those permissions.
Key rules:
- You cannot nest groups (no groups inside groups)
- A user can belong to multiple groups and inherits permissions from all
- Groups are for organizational convenience — they are not identities and cannot log in
6. IAM Roles
A role is an identity that can be assumed by AWS services, users, or applications. Roles provide temporary security credentials via AWS STS (Security Token Service) — no long-term passwords or access keys are stored anywhere.
Why roles instead of users for services:
- No static access keys to rotate or accidentally expose in code
- Credentials are automatically rotated by STS
- Fine-grained permissions tailored to each service's needs
Common role use cases:
| Who Assumes the Role | Example |
|---|---|
| EC2 instance | Instance role allowing the app to write to S3 |
| Lambda function | Execution role allowing Lambda to read from DynamoDB |
| ECS task | Task role with permissions for the containerized app |
| Federated user | Corporate employee signing in via Active Directory SSO |
| Cross-account | Account A accessing resources in Account B |
7. IAM Policies
JSON documents that define what actions are allowed or denied on which resources:
Policy types:
| Type | Description |
|---|---|
| AWS Managed | Pre-built by AWS (e.g., AdministratorAccess, ReadOnlyAccess, AmazonS3FullAccess) |
| Customer Managed | Created and maintained by you; reusable across entities |
| Inline | Embedded directly in a single user, group, or role; not reusable |
| Resource-based | Attached to a resource like an S3 bucket policy; specifies who can access it |
| SCPs | Applied at AWS Organizations level; define maximum permissions for entire accounts |
8. Policy Evaluation: How AWS Decides Allow or Deny
When AWS receives an API request, it evaluates all applicable policies in this order:
- Explicit DENY in any policy — request is immediately denied (highest priority)
- SCP — if the account's Organization SCP does not allow the action, denied
- Resource-based policy — if the resource policy grants access, may be permitted
- Identity-based policy — the user/role must have an Allow for the action
- Permission boundaries — if set, the final permission cannot exceed the boundary
- Default: Implicit DENY — if no explicit Allow is found anywhere, the request is denied
Key rule to remember: An explicit Deny always wins over any Allow, no matter where the Allow comes from.
9. IAM Best Practices
| Best Practice | Why It Matters |
|---|---|
| Enable MFA on root account | Root has unlimited power — one of the highest security priorities |
| Never use root for daily tasks | Reduces blast radius if root credentials are ever compromised |
| Grant least privilege | Only minimum permissions needed; reduces attack surface |
| Use roles for EC2, Lambda, ECS | No static keys to accidentally expose in code or logs |
| Never share credentials | Each person and service should have its own identity |
| Rotate access keys regularly | Limits exposure window if a key is leaked |
| Use IAM Identity Center for SSO | Centrally manage access across multiple accounts |
| Use AWS Organizations with SCPs | Enforce permission guardrails across the entire organization |
10. IAM Identity Center (formerly AWS SSO)
- Centrally manage single sign-on (SSO) access to multiple AWS accounts and business apps
- Integrates with Active Directory, Okta, and SAML 2.0 identity providers
- Users sign in once and access multiple accounts without needing separate IAM users per account
- Recommended approach for enterprises with multiple AWS accounts
11. AWS Organizations and SCPs
Service Control Policies (SCPs):
- Applied at the Organizations level to accounts or OUs
- Define the maximum permissions available — they do not grant permissions themselves
- An SCP Deny overrides any IAM Allow in the account
- Used to enforce guardrails like "no one in this account can create resources outside us-east-1"
12. CLF-C02 Quick Reference
| Topic | Key Fact |
|---|---|
| IAM scope | Global service — not region-specific; free to use |
| Root account | Full access; protect with MFA; use only for ~5 specific tasks |
| IAM Users | Individual identities; password and/or access keys; long-term |
| IAM Groups | Cannot be nested; user can belong to multiple groups |
| IAM Roles | Temporary credentials via STS; used by services and federated users |
| IAM Policies | JSON documents; Effect, Action, Resource |
| Explicit Deny | Always wins over any Allow |
| Least privilege | Grant only minimum required permissions |
| MFA | Must enable on root; strongly recommended for all privileged users |
| Access keys | For programmatic CLI/SDK access; never embed in code |
| SCP | Max permission boundary at Organizations level; overrides IAM Allows |
| IAM Identity Center | SSO access to multiple AWS accounts; recommended for enterprises |
| Roles vs access keys | Always prefer roles for services; no static keys to manage |
Practice Questions9
Q1. What is the AWS root account user?
Select one answer before revealing.
Q2. What is the AWS recommended best practice for securing the root account?
Select one answer before revealing.
Q3. What is the principle of least privilege in AWS IAM?
Select one answer before revealing.
Q4. A company has 50 developers who all need the same S3 read permissions. What is the MOST efficient IAM approach?
Select one answer before revealing.
Q5. What is the key difference between an IAM user and an IAM role?
Select one answer before revealing.
Q6. An application running on EC2 needs to write to an S3 bucket. What is the MOST secure way to provide this access?
Select one answer before revealing.
Q7. A company uses AWS Organizations and wants to prevent all accounts in a specific OU from launching resources in the eu-west-1 region. Which feature enables this?
Select one answer before revealing.
Q8. Which TWO actions can ONLY be performed by the AWS root account user and cannot be delegated to IAM users or roles? (Select TWO — more than one answer may be correct)
Select one answer before revealing.
Q9. What does enabling MFA (Multi-Factor Authentication) on an AWS account add to security?
Select one answer before revealing.