🔶

AWS Identity and Access Management (IAM)

Overview

AWS Identity and Access Management (IAM) is a global service that lets you securely manage access to AWS services and resources. It enables you to control who can do what in your AWS account through authentication and authorization mechanisms.

Core Concepts

Root Account – Created by default when you sign up for AWS. Has full permissions and should be used only for account setup and emergency tasks. Never share its credentials.

Users – Represent individual people or applications that need to interact with AWS. Each user can have permanent credentials (password, access keys).

Groups – Logical collections of IAM users. Permissions assigned to a group are inherited by its users. Groups cannot contain other groups.

User-to-Group Relationships – A user can belong to multiple groups or none at all. Groups help manage permissions at scale.

Best Practices

Enable MFA for all privileged accounts, especially the root user.

Follow the Principle of Least Privilege by granting only the permissions needed.

Use groups to manage permissions rather than assigning them to individual users.

Regularly rotate credentials and remove unused ones.

IAM Policies – Inheritance

IAM Policy Structure

IAM – Password Policy

Multi-Factor Authentication (MFA)

AWS Access Methods

IAM Roles for Services

IAM Security Tools

IAM Guidelines & Best Practices

IAM Roles vs Resource-Based Policies

IAM Permission Boundaries

IAM Policy Evaluation Logic

IAM – Trust Policy

IAM Database Authentication

AWS IAM Access Analyzer