AWS - IAM

Introduction to AWS Identity & Access Management (IAM)

A simple, crisp guide with real-world analogies and ready-to-copy code snippets.

What is IAM?

IAM (Identity and Access Management) is an AWS service that controls who can access an AWS account (authentication) and what they can do (authorization).

Analogy: IAM is like office security. Reception checks your ID (authentication). Your access card opens only certain rooms (authorization).

Key features — at a glance

• Global: IAM is global — not region-specific.
• Integrated: Works with most AWS services by default.
• Password policies & MFA: Enforce complexity and multi-factor authentication.
• Federation: Use corporate or social logins (AD, Google, Okta) for temporary access.
• Free: IAM is available at no extra cost to AWS customers.

IAM Identities: Users, Groups, and Roles

IAM User

An IAM user represents a person or a service that interacts with AWS. Credentials can be:

• Console access — username & password
• Programmatic access — access key + secret key (CLI/API)

IAM Group

A group is a collection of users. Permissions attached to the group apply to all members — an essential best practice for scalable permission management.

• Users can belong to many groups.
• Groups cannot belong to groups.

Root user

The account root user has full access. Avoid using it for daily tasks; create IAM users instead.

IAM Policies — the rules of the road

Policies are JSON documents that allow or deny actions on resources. They attach to users, groups, and roles. When a request is made, AWS evaluates the policies tied to that identity.

Policy structure (required elements)

Element	Description	Example
Version	Policy language version	"2012-10-17"
Effect	Allow or Deny	"Effect": "Allow"
Action	The operation(s) permitted or denied	"iam:CreateUser"
Resource	Which AWS resource(s) the statement covers	ARNs like "arn:aws:iam::123456789012:user/Bob"

Tip: Use the least privilege principle — give only the permissions required, and no more.

Admin (full access) — JSON

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": "*",
    "Resource": "*"
  }]
}

Grant a user permission to manage only their own password

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "iam:ChangePassword",
      "iam:GetUser"
    ],
    "Resource": "arn:aws:iam::123456789012:user/${aws:username}"
  }]
}

Short workflows & real-world examples

New developer joins

1. Create IAM user: john_dev
2. Add to Developers group
3. Group policy gives access to EC2, Lambda, S3 as needed

Developer changes role to security engineer

Remove the user from Developers, add to Security group — no per-user policy editing required.

Why this matters: Groups make permission management scalable and auditable — essential for teams of any size.

Quick CLI snippets

Copy these commands into your terminal (requires configured AWS CLI and admin permissions):

# 1. Create a group
aws iam create-group --group-name Developers

# 2. Create a user
aws iam create-user --user-name john_dev

# 3. Add user to group
aws iam add-user-to-group --user-name john_dev --group-name Developers

# 4. Create an inline policy file (developer-policy.json) and attach to group
aws iam put-group-policy --group-name Developers --policy-name DevPolicy --policy-document file://developer-policy.json

Written in a simple, exam-friendly style — analogies, real-world examples, and copyable snippets to help you practice IAM safely.