AWS IAM: Complete Guide to Identity and Access Management

📘 What is AWS IAM?

IAM is free and enabled by default in every AWS account.

🛠️ Tools Provided by IAM

• IAM Users – for individual identities
• IAM Groups – to manage permissions across users
• IAM Roles – for temporary access by AWS services or federated users
• IAM Policies – to define fine-grained access
• Multi-Factor Authentication (MFA) – to add an extra security layer
• IAM Access Analyzer – to check for unintended access
• Service Control Policies (SCPs) – for AWS Organizations

👤 Types of IAM Users

1. Root User

• This is the first account created when you sign up for AWS.
• Has full admin access to all services and billing.
• Should be used only for account setup and be protected with MFA.

⚠️ Never use the root user for daily operations. Instead, create IAM users.

2. IAM User

• A regular user created under your AWS account.
• Can have console and/or programmatic access (CLI, SDK, API).
• Access is defined via policies.

3. Federated User

• Users from external identity providers (IdPs) that access AWS via temporary credentials.
• They do not exist in IAM but are mapped to roles via STS (Security Token Service).

• SSO (Single Sign-On):
  • Integrates AWS with Microsoft AD, Google Workspace, Okta, etc.
  • Use-case: Company employees log in with their work credentials.
• Social Authentication:
  • AWS Cognito allows users to log in using Google, Facebook, or Amazon accounts.
  • Used in customer-facing applications.

👥 IAM Group

• A collection of IAM users.
• Used to assign the same permissions to multiple users.
• Users inherit the policies attached to the group.

🧑‍🔧 IAM Role

• IAM Roles provide temporary access to AWS resources.
• Roles are assumed by:
  • IAM users
  • AWS services (like EC2, Lambda)
  • Federated users
• Roles use STS tokens that expire after a set time.

• EC2 instance role to access S3
• Lambda execution role
• Cross-account access role

📜 IAM Policies

🏷️ Types of Policies

1. Managed Policies
   • AWS Managed: Predefined by AWS (e.g., AmazonS3ReadOnlyAccess)
   • Customer Managed: Custom policies that you create and manage.
2. Inline Policies
   • Policies that are embedded directly into a user, group, or role.
   • Used when you want tight coupling between the policy and identity.

🧪 Real-World Example: Create IAM Setup for a DevOps Team

✅ Step-by-Step

1. Create a group called DevOpsTeam
2. Attach policies: AmazonEC2FullAccess, AmazonS3ReadOnlyAccess
3. Create a user: shreyash_dev
4. Add user to group DevOpsTeam
5. Enable MFA
6. Verify permissions by logging in as shreyash_dev

🔒 IAM Security Best Practices

• ✅ Enable MFA for all IAM users
• ✅ Avoid root user for daily tasks
• ✅ Use IAM roles for AWS service access
• ✅ Apply least privilege principle
• ✅ Rotate access keys regularly
• ✅ Use IAM Access Analyzer to detect unwanted access
• ✅ Log all access with AWS CloudTrail

💡 Use Cases

🎯 Final Thoughts