What is IAM ?

IAM stand for Identity and Access Management .

AWS Identity and Access Management (IAM) is a secure web service that enables you to manage access to AWS services and resources for users and applications. It helps you define “who can do what” in your cloud environment.

In simple terms:
IAM is like a digital gatekeeper that verifies identity and grants permission.

Why IAM Matters ?

Security First: Prevents unauthorized access to critical resources.
Granular Control: Allows precise permission assignment (e.g., only read access to S3).
Auditing Made Easy: Tracks user actions for compliance and governance.
Multi-user Setup: Easily manages access for multiple team members without sharing passwords.

Core Components of IAM

1.Users

2.Groups

3.Roles

4.Policies

Users

Represent individual people or applications.
Each has a unique name.

Can be assigned login credentials (username, password, access keys).

Users are people within your organization, and can be grouped.

Example: An intern who only needs access to view EC2 instances.

Groups

A collection of users.
Policies assigned to groups apply to all users in that group.

Simplifies management—especially in large teams.

Groups only contain users, not other groups.

Example: A “Developers” group with access to CodeCommit and Lambda.

Roles

Created for temporary access.
Ideal for giving permissions to AWS services or cross-account access.

Users or applications can “assume” roles to perform specific actions.

Example: EC2 instances assuming a role to access S3 buckets.

Polices

JSON documents that define permissions.
They specify allowed or denied actions for users, groups, or roles.

Can be AWS-managed or customer-managed.

Example: A policy that allows “s3:PutObject” to a specific bucket.

IAM Policies Structure

An IAM policy is a JSON document that defines permissions for AWS services. These permissions specify:

Who can do what
On which resources
Under what conditions

IAM policies follow a standard structure, which includes key elements like Version, Statement, Effect, Action, Resources, and optional Condition.

For JSON knowledge use goggle.

IAM – Password Policy

A strong password is the first defense against unauthorized access to your AWS environment. IAM allows you to enforce password policies to ensure that all users in your AWS account follow security best practices.

Why Set a Password Policy?

By enforcing a password policy, you can:

Encourage users to create stronger, more complex passwords
Reduce the risk of brute-force attacks
Maintain better compliance with security standards.

Key Password Policy Options:
1. Minimum Password Length
  Set the required number of characters (e.g., 8, 12, or more).
2. Character Requirements
  Require passwords to include:
  - Uppercase letters (A–Z)
  - Lowercase letters (a–z)
  - Numbers (0–9)
  - Non-alphanumeric characters (like ! @ # $ % ^ & *)
3. Password Expiration
  Force users to change their password after a specific number of days (e.g., every 90 days).
4. Prevent Password Reuse
  Stop users from reusing any of their last N passwords (you define how many).

Self-Service Password Changes
Allow IAM users to change their own password via the AWS Management Console.

Note - Combine password policies with MFA (Multi-Factor Authentication) for maximum protection.

Multi Factor Authentication - MFA

When it comes to cloud security, a strong password isn’t always enough. If someone gains access to your password, they could potentially modify configurations, delete resources, or even take over your entire AWS account. That’s why AWS recommends enabling MFA (Multi-Factor Authentication) for both the root user and IAM users.

Why is MFA Important?

IAM users and the root account often have powerful permissions.
Without MFA, anyone with a stolen password can log in and make changes.

Some resources, once deleted or alteret , cannot be recovered.

What is MFA?

MFA (Multi-Factor Authentication) is an extra layer of security that combines:

Something you know: your password
Something you have: a physical device or app
This means even if a password is stolen, attackers still can't log in without the second factor.

Key Benefit of MFA:

Even if a password is hacked, the account remains protected.

It effectively reduces the chances of unauthorized access and is considered a best practice by AWS and most security professionals.

How to Enable MFA in AWS:

Go to the IAM Console
Choose “Users” → Select the user you want
Click on “Security credentials”
Select “Assign MFA device”
Choose a method:
- Virtual MFA (e.g., Google Authenticator, Authy)
- Hardware MFA (physical devices)
Follow setup instructions and verify.

Note - MFA protects your AWS account even when passwords fail. It’s a simple, effective way to stay safe in the cloud.

Benifit - if your password is stolen or hacked then your account is not compormized.

How Do Users Access AWS?

AWS provides three main ways for users to access and interact with its services:

AWS Management Console

A web-based interface for interacting with AWS services.
Secured using a username + password, and ideally MFA.

AWS CLI (Command Line Interface)

For managing AWS services using terminal commands.
Secured with Access Key ID and Secret Access Key.

AWS SDKs (Software Development Kits)

Used to interact with AWS services directly from code (e.g., Python, Java, Node.js).
Also secured using access keys.

What Are Access Keys?

Access Key ID ≈ Your username.
Secret Access Key ≈ Your password.
Access keys are generated in the IAM console.
Users are responsible for managing their own keys.

Never share access keys—they are confidential.

What is the AWS CLI?

The AWS CLI (Command Line Interface) is a powerful, open-source tool that allows you to interact with AWS services using simple commands directly in your terminal or command-line shell.

Why Use the AWS CLI?

Instead of clicking around the AWS Management Console, the CLI gives you:

Faster execution of tasks
Automation through scripting
Direct access to AWS public APIs
Complete control over services from your local machine

Example: You can create an S3 bucket, launch an EC2 instance, or manage IAM users—all with a single command.

Open Source & Extensible

AWS CLI is open-source and available on GitHub:
https://github.com/aws/aws-cli

Security Note: AWS CLI uses Access Key ID and Secret Access Key to authenticate, so keep them safe and never hardcode them into public code repositories.

What is the AWS SDK?

The AWS SDK (Software Development Kit) is a collection of language-specific libraries that allows developers to interact with AWS services programmatically—right from within their applications.

What Can You Do with AWS SDK?

Access and manage AWS services in code
Automate operations like uploading files to S3, launching EC2 instances, or publishing to SNS
Embed AWS functionality directly into your web, mobile, or IoT apps

SDKs for Every Use Case

AWS offers SDKs for a wide variety of programming languages:

General SDKs:

JavaScript / Node.js
Python
Java
Go
Ruby
.NET (C#)
PHP
C++

Mobile SDKs:

Android
iOS

IoT SDKs:

Embedded C
Arduino
Example: The AWS CLI is actually built using the AWS SDK for Python (boto3).

How Does It Help?

Seamless integration with AWS services
Faster development and automation
Great for building cloud-native apps

Note- If you’re developing cloud applications, the SDK is your gateway to fully automate and scale services using real code—not just click-and-configure UI.

IAM Roles for AWS Services

In many real-world cloud scenarios, AWS services often need to perform actions on your behalf. But instead of using hardcoded credentials (which is insecure), AWS uses IAM Roles to grant those services permissions in a secure and scalable way.

Why Use IAM Roles?

When an AWS service (like EC2, Lambda, or CloudFormation) needs to access other AWS resources (like S3 or DynamoDB), it doesn’t log in as a user. Instead, you assign it a role with just the right permissions.

What is an IAM Role?

An IAM Role is a set of permissions that can be assumed by trusted entities—such as AWS services, users from another AWS account, or federated identities.

IAM Roles provide temporary security credentials, making them more secure and flexible than long-term credentials.

Common Use Cases

EC2 Instance Roles

Allows an EC2 instance to access services like S3, CloudWatch, or DynamoDB without storing access keys.

Lambda Execution Roles

Grants Lambda functions the necessary permissions (e.g., writing to CloudWatch Logs or accessing RDS).

CloudFormation Roles

Enables AWS CloudFormation to create or manage resources using defined permissions in a stack.

How It Works (Quick Flow):

Create an IAM Role
Define trust relationship (who can assume it)
Attach necessary policies (what the role can do)
Assign the role to the AWS service

Security Tip:

Always follow the Principle of Least Privilege — grant the service only the permissions it absolutely needs.

IAM Security Tools in AWS

Managing user access in AWS isn’t just about assigning permissions — it’s also about monitoring and reviewing them over time. AWS provides built-in tools to help you audit IAM users and ensure your account follows best security practices.

1. IAM Credentials Report (Account-Level)

The IAM Credentials Report is a downloadable file that gives a complete overview of all IAM users in your AWS account and the status of their security credentials.

What It Shows:

Whether a password is enabled
If MFA is activated
Age of access keys
When the user last used credentials
Whether passwords are being rotated regularly

You can download it from the IAM Console → “Credential report”.

Use case: Easily spot inactive users or outdated access keys.

2. IAM Access Advisor (User-Level)

The IAM Access Advisor helps you optimize user permissions by showing:

The AWS services a user has access to
The last time each service was accessed (if at all)

This allows you to remove unused permissions and enforce the principle of least privilege.

Why Use These Tools?

Improve account security
Clean up unnecessary permissions
Help with compliance and audits
Reduce the attack surface

IAM Guidelines & Best Practices in AWS

To keep your AWS environment secure, it's critical to follow IAM best practices. These rules ensure proper identity management, minimize risk, and help enforce the Principle of Least Privilege.

Security-First IAM Practices

1. Avoid Using the Root Account

Only use the root account for initial AWS setup
Secure it with MFA and avoid daily usage

Think of it as the AWS “master key” — store it safely and rarely touch it.

2. One User = One Identity

Each individual should have their own IAM user
This ensures better tracking and accountability

3. Use IAM Groups

Organize users into groups based on roles (e.g., admins, developers, viewers)
Assign permissions to groups, not individual users

This makes permission management much easier and scalable.

4. Enforce a Strong Password Policy

Set minimum length
Require uppercase, lowercase, numbers, and special characters
Enable password rotation and reuse prevention

Strengthening passwords reduces brute-force attack risk.

5. Enable Multi-Factor Authentication (MFA)

MFA adds a second layer of security
Enforce MFA for both the root user and all IAM users

6. Use IAM Roles for Services

Use roles, not users, for services like EC2, Lambda, etc.
Roles provide temporary credentials, improving security

7. Use Access Keys for Programmatic Access

For CLI or SDK access, generate Access Key ID + Secret Access Key
Never hardcode or share access keys publicly

8. Regularly Audit IAM Access

Use the IAM Credentials Report to check password/MFA status
Use IAM Access Advisor to see which services users actually use

Helps identify inactive users or over-permissioned roles.

Each user should only use their own credentials
Sharing usernames, passwords, or access keys is a major security risk

Final Note:

Keep IAM simple, secure, and auditable. Good IAM hygiene = better cloud protection.

IAM Section – Summary

• Users: mapped to a physical user, has a password for AWS Console

• Groups: contains users only • Policies: JSON document that outlines permissions for users or groups

• Roles: for EC2 instances or AWS services

• Security: MFA + Password Policy

• AWS CLI: manage your AWS services using the command-line

• AWS SDK: manage your AWS services using a programming language

• Access Keys: access AWS using the CLI or SDK

• Audit: IAM Credential Reports & IAM Access Advisor

Cloudcrafted Security: Mastering IAM in AWS with Confidence

Table of contents