AWS IAM overview

Identity Access Management

This post covers all one needs to know about IAM with respect to "AWS Certified Solutions Architect - Associate".  The post is summary of concepts involved in IAM - An introduction to AWS IAM
  • User: End user (people or program)
  • Groups: A collection of users under one set of permissions
  • Roles: We create roles and assign them to AWS resources
  • Policies: A document that defines permissions
IAM is universal.  Account setup when first created AWS account is root account and it has admin access.  Always enable MFA on root account.

One can group users in a group and attach a policy to the group.  Individual users can also have policy attached.  Policy gives users access to AWS services & resources. If I am a root user; then I can go to IAM console and create more users.  I will create user name and password and attach a policy to them.  For example, I can create a user to only view Cloudwatch logs.  A user (individual) will use access type “AWS Management Console access” using password

AWS services in itself need access to other AWS services, such as 
  • Java program or third party applications (New Relic, WordPress, Site 24*7, and so on) will use access type “Programmatic access” that is using access key ID and secret access key for AWS API, CLI, SDK, etc. 
  • An EC2 instance will need IAM role to download package from S3
  • Each Lambda function has an IAM role (execution role) associated with it, specified while creating Lambda. If Lambda function code wants to access other AWS resources, such as reading an object from an S3 bucket or writing logs to CloudWatch Logs, we need to grant permissions for relevant Amazon S3 and CloudWatch actions to the role.
Roles (with attached policy) allow AWS services to access other AWS services

A very good explanation on IAM is available in "Module 2 Domain 2 Security" of course "Exam Readiness: AWS Certified Developer – Associate (Digital)" on

IAM User – Represents a person or a service
  • Is authenticated (through credentials)
    • User name and password
    • Access Key and secret key

IAM Group – Is a collection of IAM users
  • Can specify permissions for multiple users
  • Is easier to manage 

IAM Role – Is a set of permissions that grant access to actions and resources in AWS
  • Instead of being uniquely associated to one person, a role is intended to be assumed by anyone who needs it
  • Roles does have passwords or access keys associated with it instead If a user assumes a role then temporary security credentials are created dynamically and provided to that user
  • Can delegate access to IAM users, applications, and services that don’t normally have access to your AWS resources, such as, grant access to user in one account to resources in other account.  We don’t want to allow mobile to store keys instead use roles.  In similar, users not defined in IAM instead defined in Corporate directory can be assigned roles. 

IAM Policy – Defines authorization (granting permissions)