IAM & Access Management

Overview

AWS Identity and Access Management (IAM) is a global service that controls authentication (who you are) and authorization (what you can do) for all AWS resources.

Core IAM Components:

• Root Account — Created when you first sign up for AWS. Has unrestricted access. Should be protected with MFA and never used for daily tasks. Only tasks that require root: close the account, change support plan, change payment method, restore IAM admin access.
• IAM Users — Individual identities with long-term credentials (password + access keys). For humans or legacy apps.
• IAM Groups — Collections of users that share policies. You cannot nest groups. Simplifies bulk permission management.
• IAM Roles — Assumed by AWS services (EC2, Lambda), federated users, or other accounts. Provide temporary credentials via STS — no long-term keys stored.
• IAM Policies — JSON documents defining permissions (Effect: Allow/Deny, Action, Resource).

Best Practices:

• Enable MFA on root account immediately.
• Follow the principle of least privilege — grant only minimum required permissions.
• Use IAM roles (not users) for EC2, Lambda, ECS.
• Never share credentials; never use root for daily tasks.
• Rotate access keys regularly; prefer roles over long-term access keys.

IAM Identity Center (formerly AWS SSO) — Centrally manage SSO access to multiple AWS accounts and business applications.

Service Control Policies (SCPs) — Applied at AWS Organizations level; define the maximum permissions available in accounts. An SCP deny overrides any IAM allow.

Policy Evaluation: Explicit Deny always wins → SCP → resource-based policy → identity-based policy → permission boundary.

Practice Linked Questions