β Day 7 of My Cloud Journey β β Introduction to IAM: Identity & Access Management π
Pratik DasWelcome to Day 7 of my #30DaysOfCloud journey!
Today, I dove into IAM β Identity and Access Management, one of the most critical building blocks of cloud security in AWS.
π What is IAM?
IAM (Identity and Access Management) is an AWS service that helps securely manage access to AWS resources.
It lets you define:
Who can access your AWS resources (identities)
What actions they can perform
Which resources they can access
Under what conditions (e.g., from a certain IP, with MFA, etc.)
Think of IAM as your cloudβs security gatekeeper.
𧩠Key Components of IAM
1οΈβ£ IAM Users π€
An IAM user represents a real person or service that interacts with AWS.
Has long-term credentials: Access Key ID + Secret
Can sign in to AWS Console or use CLI/API
Should be given only necessary permissions
2οΈβ£ IAM Groups π₯
Groups let you organize users and assign policies in bulk.
Example: Group "Developers" has EC2 + S3 access
All users in that group inherit those permissions
π Helps with team management and security policies at scale.
3οΈβ£ IAM Roles π
Roles allow temporary access to AWS resources.
They are not tied to specific users and are ideal for:
EC2 instances
Lambda functions
Cross-account access
Federated access (SSO, external identity providers)
π Roles assume permissions temporarily and use security tokens.
4οΈβ£ IAM Policies π
Policies are JSON documents that define allowed/denied actions on AWS resources.
Example:
jsonCopyEdit{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}
Managed policies: Provided by AWS
Custom policies: Created by you for fine-grained control
5οΈβ£ Multi-Factor Authentication (MFA) π
MFA adds an extra layer of protection to your AWS account.
Users must enter a one-time code from a device (e.g., Authy, Google Authenticator)
Highly recommended for admin accounts
π Real-World Use Cases
Hereβs how IAM fits into daily AWS work:
β
Give EC2 instances permission to access S3
β
Restrict developers to specific resources like DynamoDB
β
Rotate API keys securely
β
Set up cross-account roles for external collaboration
β
Apply Service Control Policies (SCPs) in organizations
β
Enforce MFA for privileged users
β How IAM Works (Example Scenario)
Letβs say you want your EC2 instance to access a private S3 bucket without hardcoding credentials.
Steps:
Create an IAM Role
Attach S3 read/write permissions to the role
Attach that role to your EC2 instance
EC2 automatically uses temporary credentials
β
No hardcoded secrets
β
Secure, temporary, and scoped permissions
β οΈ Best Practices for IAM
π Follow Principle of Least Privilege
Give only the permissions required β nothing more.
π Rotate credentials regularly
π Use roles instead of hardcoded access keys
π Never share your root account credentials
π Enable MFA for all users, especially admins
π§ͺ Test policies using the IAM Policy Simulator
π Bonus β IAM Policy Simulator
Try this out to test your IAM policies:
π https://policysim.aws.amazon.com/
π Whatβs Next?
Tomorrow, Iβll take this further:
Create IAM roles
Attach them to EC2
Use the AWS CLI to access S3 using role-based credentials
This hands-on will help reinforce the secure practices of role assumption and temporary access tokens.
π Resources to Learn More
π£ Let's Connect
If youβre also learning Devops, AWS or cloud computing, follow along or reach out!
Letβs grow and share knowledge together. π
Subscribe to my newsletter
Read articles from Pratik Das directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by