Understanding the Basics of IAM for DevOps and Cloud Security

๐ What is IAM?
IAM stands for Identity and Access Management. It is like a central manager that helps you control who can enter your cloud, access AWS resources, and what they can do once inside.
๐ Identity
IAM helps you manage the identities (like usernames or service accounts) that can interact with your AWS resources.
๐ Access
It determines what actions (like reading, writing, or deleting data) each identity is allowed to perform on AWS services.
๐ Features of IAM
๐ Control Who Does What
IAM lets you decide who can access AWS resources and what they can do with them.
๐ Extra Security with MFA
You can add an extra layer of security by requiring users to use a second form of verification, like a smartphone app, along with their password.
๐ Simplify Access for Services
IAM allows AWS services to access other services securely, reducing the need for secret keys.
๐ Fine-Tune Permissions
You can specify exactly what each user or group can access, ensuring they only have the permissions they need.
๐ Access Advisor Insights
IAM provides insights into permissions, helping you see what users and services are using and adjust permissions accordingly.
๐ IAM Identities
IAM identities are categorized into three types:
IAM Users
IAM Groups
IAM Roles
๐ค IAM Users
IAM users are individual entities within your AWS account. They can be human users, applications, or services that need to interact with your AWS resources.
Identification: Each IAM user has a unique username.
Access Credentials: Users can have passwords (for console access) or access keys (for CLI/API access).
Permissions: Policies define what actions users can perform.
MFA: Adds an extra layer of security with a smartphone app or hardware token.
๐ฅ IAM Groups
IAM groups are collections of IAM users with similar permissions.
Group Membership: Users can belong to multiple groups.
Policy Attachment: Policies are attached to groups; users inherit these permissions.
Efficiency: Easily manage permissions for multiple users at once.
๐งณ IAM Roles
IAM roles are used to grant temporary access to AWS services or trusted entities.
Trust Relationships: Define which entities or services can assume the role.
Temporary Permissions: Valid only for a short time.
Cross-Account Access: Useful for collaboration across AWS accounts.
๐ Policies
IAM roles are defined by two types of policies:
โ Permission Policy
Specifies what the role can do (e.g.,
s3:GetObject
)Attached directly to the role
Includes:
Effect
,Action
,Resource
โ Trust Policy
- Specifies who can assume the role (e.g., EC2, another user/account)
๐งฑ Creating IAM Roles
๐ช Step 1: Go to IAM > Roles > Create Role
Choose trusted entity (e.g., EC2, Lambda, another account)
๐ช Step 2: Attach Trust & Permission Policies
Use JSON format to define:
Trust Policy (who can assume the role)
Permission Policy (what the role can do)
๐ช Step 3: Add Role Name & Description
Name your role clearly (e.g., EC2-S3-ReadOnly-Role
) and create it.
๐ช Step 4: Assign the Role
Attach the role to an EC2 instance, Lambda function, or allow users to switch to it.
๐ง Summary
IAM is a core part of AWS security
Use IAM users for individual access
Use groups to manage permissions at scale
Use roles for temporary, secure access (including cross-account)
Always enforce MFA and least privilege
IAM gives you the power to control access, reduce risk, and enforce security critical responsibilities in every DevOps and cloud role.
Subscribe to my newsletter
Read articles from sivasai papani directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
