Understanding IAM: Users, Roles, Policies Made Simple 🔐

Yash SonawaneYash Sonawane
3 min read

"Oops, I gave full admin access to everyone... by mistake!" — said every beginner before learning IAM properly.

Let’s make sure that’s not you. 🙌

🧠 What Is IAM (And Why You Should Care)?

IAM (Identity and Access Management) is the security gatekeeper of AWS. It controls who can access what, and what they can do once they’re in.

Real-life analogy: IAM is like the security and ID system of an office building. Some people get access to every floor (admins), some can only enter their department (developers), and some are just visiting (temporary roles).

If you're building anything on AWS, IAM is the first thing you should understand.

🔑 Key IAM Concepts (Explained Simply)

1. Users – "The Employees"

An IAM user is a real person (like you or your teammate). You create one for each human who needs access.

  • Can log in with a username and password

  • Can have API access via access keys

  • Should be given only the permissions they need

{
  "Effect": "Allow",
  "Action": "s3:ListBucket",
  "Resource": "arn:aws:s3:::my-bucket"
}

🔒 Best Practice: Never use the root account for daily tasks. Create an IAM user with admin access instead.

2. Groups – "The Teams"

Instead of assigning permissions to users one by one, put them in a group.

  • Example: Developers, Admins, Billing

  • Permissions assigned to the group apply to all members

✅ Makes access management easier and cleaner.

3. Roles – "The Temporary Visitors"

An IAM role is a set of permissions that can be assumed by:

  • AWS services (like Lambda or EC2)

  • Other AWS accounts

  • External identities (like SSO or third-party tools)

Analogy: Think of a guest badge that lets someone temporarily access parts of your building.

🧪 Real Use Case:

  • EC2 assumes a role to access S3 without storing AWS keys.
{
  "Effect": "Allow",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::my-bucket/*"
}

4. Policies – "The Rulebook"

Policies are JSON documents that define what is allowed or denied.

Types:

  • Managed Policies: Pre-built by AWS

  • Customer Policies: Custom made by you

  • Inline Policies: Attached directly to a single user or role (use sparingly)

🔍 Example: Give read-only access to S3

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": "*"
    }
  ]
}

🧭 Putting It All Together

Let’s say you run a project:

  • Alice (developer) is added as a user in the Developers group

  • The group has a managed policy for EC2 and S3 read

  • An EC2 instance assumes a role that allows it to read/write to S3

You just built a secure, scalable, access-controlled system 🧱✅

🛡 IAM Best Practices for Beginners

  • 🔐 Don’t use the root account after setup

  • ✅ Enable MFA (Multi-Factor Authentication)

  • 🧪 Follow least privilege principle (give only what’s needed)

  • 📁 Use groups to manage users

  • 🧾 Review IAM policies regularly

  • 📚 Use AWS IAM Access Analyzer to catch issues

💬 Final Thoughts

IAM might seem intimidating, but once you get the hang of it, you’ll feel empowered—not restricted.

It’s not just about keeping hackers out. It’s about keeping your cloud organized, efficient, and safe for everyone on your team.

So next time someone asks, “What’s IAM?”, you’ll say:

"It’s the superhero security system of AWS. And I know how to use it."

🚀 Let’s Talk IAM!

Got questions about roles vs users? Want a deep dive on writing policies? Or maybe some IAM use-case scenarios?

💥 Drop a comment, hit ❤️, and share this with your cloud-curious friends. Let’s simplify AWS security together!

0
Subscribe to my newsletter

Read articles from Yash Sonawane directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSDevopsIAMTutorial

Written by

Yash Sonawane
Yash Sonawane

DevOps & Cloud Engineer | AWS, Docker, K8s, CI/CD Writing beginner-friendly blogs to simplify DevOps for everyone.