AWS IAM Core Concepts with Policy Example

Understanding AWS Identity and Access Management (IAM)
A Comprehensive Guide to Secure Access in AWS
AWS Identity and Access Management (IAM) is a fundamental component of Amazon Web Services. Whether you're building your first cloud application or managing complex enterprise infrastructure, understanding IAM is essential to secure and control access to your AWS environment. IAM governs who can access AWS resources, what actions they can perform, and under what conditions.
In this guide, we’ll break down IAM concepts, explore how permissions are structured, and offer practical guidance for managing IAM securely and efficiently.
What is AWS IAM and Why It Matters
AWS IAM (Identity and Access Management) is a service that enables you to manage access to AWS services and resources securely. IAM helps you create and manage users, groups, roles, and permissions in your AWS account.
Access to AWS resources—like S3 buckets, EC2 instances, or Lambda functions—is controlled through IAM. Each resource can only be accessed by authorized users or applications. IAM ensures that only the right entities can perform specific actions, reducing the risk of unauthorized access, data breaches, or accidental deletions.
IAM is a shared responsibility: while AWS secures its infrastructure, you are responsible for managing access to your own resources. A misconfigured IAM policy can expose sensitive data or critical services, making proper IAM configuration vital.
How IAM Permissions Work: Users, Actions, and Policies
In IAM, access decisions are made based on policies. A policy is a JSON document that defines the allowed or denied actions for users, groups, or roles. AWS checks these policies whenever a user or service attempts an operation.
Example:
Let’s say you have a user named ABCD, and he wants to create a Lambda function. By default, ABCD has no permissions. AWS enforces implicit deny, meaning all actions are denied unless explicitly allowed.
To give ABCD access, you must attach a policy that explicitly grants the permission:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLambdaCreateFunction",
"Effect": "Allow",
"Action": "lambda:CreateFunction",
"Resource": "*"
}
]
}
Key Elements:
Effect: Specifies whether the action is
Allow
orDeny
. An explicitDeny
always overrides anAllow
, even across multiple policies.Action: Defines what operation is being permitted or denied (e.g.,
lambda:CreateFunction
).Resource: Indicates which AWS resources this permission applies to. Using
"*"
applies the permission to all resources, but this should be scoped narrowly for security.
Implicit vs Explicit Deny:
Implicit Deny: Applies by default. If access is not explicitly granted, it is denied.
Explicit Deny: Overrides any allow permissions. Use this to block specific actions or resources, even if a broader allow is in place.
This layered permission model provides flexibility but also requires careful planning to avoid unintentional access.
How IAM Works Across AWS Interfaces
No matter how you interact with AWS, IAM policies are always evaluated to determine what actions you’re allowed to perform.
1. AWS Management Console
When logging into the web-based console, IAM uses your user credentials to determine what services and resources you can access. The console dynamically shows only those services you're authorized to use.
2. AWS Command Line Interface (CLI)
The CLI is used for scripting and automation. You authenticate using an Access Key ID and a Secret Access Key, which are generated for your IAM user. These keys act like a username and password combination for programmatic access.
3. AWS SDKs
When developing cloud-native applications (e.g., in Python with Boto3 or JavaScript with AWS SDK), your application uses these keys to access AWS services on your behalf. This is essential for backend services like serverless APIs or data-processing functions.
⚠️ Security Note: Always protect access keys and never hardcode them in source code. Use IAM roles with temporary credentials wherever possible.
Fine-Grained Permissions: Deep Dive into IAM Policies
IAM policies can go beyond basic allow/deny. They support conditions that allow you to enforce contextual access—for example, allowing read access to specific columns in a DynamoDB table or restricting actions to a specific time range or IP address.
Example: Read-Only Access to Specific DynamoDB Columns
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan"
],
"Resource": "arn:aws:dynamodb:region:account-id:table/table-name",
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:Attributes": ["column1", "column2", "column3"]
}
}
}
Highlights:
Action: Grants standard read access to DynamoDB.
Resource: Limits the permission to a specific table using its ARN (Amazon Resource Name).
Condition: Restricts access to specific attributes within the table.
This approach supports least privilege access and data protection, ensuring users or applications access only what’s necessary.
IAM Groups, Roles, and Trust Relationships
IAM is built to scale, and managing hundreds or thousands of users individually is inefficient. AWS offers mechanisms like groups, roles, and trust relationships to simplify access control at scale.
IAM Groups
Groups are collections of users that share common permissions. For example:
Admins might have full access.
Developers might have read/write to compute services.
Auditors might have read-only permissions.
By assigning policies to a group, all users in that group inherit those permissions automatically. This makes onboarding new users faster and more consistent.
IAM Roles
Roles provide temporary credentials and are used by:
AWS services like EC2, Lambda, or ECS to interact with other AWS resources.
Users or services in another AWS account (cross-account access).
Federated users from identity providers like Okta or Azure AD.
Roles are not tied to a specific user. Instead, they are assumed for a session. This design supports secure automation and delegation.
Trust Relationships
Trust relationships define who can assume a role. This is critical for cross-account access. For example:
Account A owns a sensitive S3 bucket.
Account B needs access to read from the bucket.
Account A creates a role with read permissions and establishes a trust relationship with Account B, allowing its users or services to assume the role securely.
This mechanism ensures controlled, auditable, and temporary access across environments.
Best Practices for Managing IAM in AWS
To manage IAM effectively and reduce security risks, follow these proven practices:
🔐 Protect the Root Account
Use the root user only for essential tasks (e.g., account setup).
Enable multi-factor authentication (MFA).
Do not use it for day-to-day operations.
✅ Use Least Privilege
Grant only the permissions required to perform specific tasks.
Avoid using
"Action": "*"
or"Resource": "*"
in production policies.Regularly audit permissions and remove unused access.
⚠️ Deny Takes Precedence
An explicit deny in any policy will always override an allow.
This helps enforce restrictions even if users are granted broad permissions elsewhere.
🧪 Use the IAM Policy Simulator
Test permissions before deploying them.
Identify and troubleshoot access issues quickly.
Ensure policies work as expected without unintended access.
Summary: Mastering IAM for Secure AWS Operations
AWS IAM allows you to define who can do what in your cloud environment. By combining users, groups, roles, policies, and trust relationships, you can implement scalable and secure access control.
Key takeaways:
IAM users and groups simplify access for people.
IAM roles enable secure, temporary access for applications and services.
Policies define the actions allowed or denied, scoped to specific resources.
Trust relationships enable secure collaboration across AWS accounts.
Least privilege and policy testing are critical to maintaining security.
By understanding and applying these concepts, you can confidently manage access and build robust, secure cloud applications in AWS.
About me: I am a Cloud Architect who like to learn and write about Cloud concepts. If you are an organization that want to hire me then I can be contacted at techonlinewriter@gmail.com
Subscribe to my newsletter
Read articles from Prakash Agrawal directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
