![codeIn [Spark]](https://codeinspark.com/wp-content/uploads/2024/11/logo-star-1_prev_ui.png){kind=logo}
📌 Overview #
AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. With IAM, you can create and manage AWS users, groups, roles, and policies that control access to AWS services.
1. ✅ What is IAM? #
IAM is a web service that helps you:
- Control who is authenticated (signed in)
- Control what they are authorized to do (permissions)
- Manage users, groups, roles, and policies
IAM is global, not region-specific.
2. 🔐 IAM Features #
| Feature | Description |
|---|---|
| Centralized control | One central account to manage permissions |
| Shared access | Grant access to multiple users/resources |
| Granular permissions | Fine-grained control using policies |
| Secure access | MFA, password policies, temporary credentials |
| Free service | No cost to use IAM |
3. 👥 IAM Identities #
3.1. IAM Users #
- Represents a person or service.
- Has long-term credentials (username/password, access keys).
- Assigned permissions via policies.
3.2. IAM Groups #
- A collection of IAM users.
- Permissions assigned to the group, not individuals.
- Users inherit permissions from the group.
3.3. IAM Roles #
- Temporary credentials using STS (Security Token Service).
- Used for cross-account access, service access, or EC2 instance access.
- Can be assumed by trusted entities (users, AWS services, federated identities).
3.4. IAM Identity Providers #
- Enables federation.
- Supports:
- SAML 2.0 (e.g., ADFS)
- OpenID Connect (e.g., Cognito, Google)
- Custom identity brokers
4. 📜 IAM Policies #
4.1. What is a Policy? #
A JSON document that defines permissions.
4.2. Types of Policies #
| Type | Attached to | Purpose |
|---|---|---|
| Identity-based | User, Group, Role | Allow/Deny permissions |
| Resource-based | Resources (e.g., S3 Bucket) | Attach permissions directly |
| Permissions boundaries | IAM Users or Roles | Sets maximum permissions |
| SCPs (Service Control Policies) | AWS Organizations | Control permissions across accounts |
| Session policies | STS temporary sessions | Limit session-specific permissions |
4.3. Policy Structure #
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
- Effect: Allow or Deny
- Action: What action is allowed (e.g.,
ec2:StartInstances) - Resource: ARN of the resource
5. 🛡️ IAM Permissions Boundaries #
- A managed policy that acts as a boundary.
- Restricts maximum permissions a role/user can have.
- Useful in delegated admin scenarios.
6. 🆚 IAM Roles vs IAM Users #
| Feature | IAM User | IAM Role |
|---|---|---|
| Use case | Long-term access | Temporary access |
| Credentials | Password/Access Keys | Temporary via STS |
| Trusted entity | N/A | Defined in trust policy |
| MFA | Supported | Supported (when assumed by user) |
| Use from EC2 | No | Yes |
7. 🧠 IAM Best Practices (AWS Recommended) #
- Use least privilege principle.
- Enable MFA for all users.
- Use roles instead of root credentials.
- Use IAM roles for EC2, not access keys.
- Rotate credentials regularly.
- Use groups to assign permissions to users.
- Restrict use of root account.
8. 🧮 IAM Policy Evaluation Logic #
- By default: All requests are implicitly denied.
- Explicit allow: Grants access.
- Explicit deny: Overrides all allow.
Evaluation order:
- Check if explicitly denied – if yes, access is denied.
- If not denied, check for allow – if yes, access is granted.
- If no allow/deny – implicit deny.
9. 🔍 IAM Access Analyzer #
IAM Access Analyzer helps:
- Identify resources shared with external entities.
- Monitor external access to:
- S3 buckets
- KMS keys
- IAM roles
- Lambda functions
- Secrets Manager secrets
10. 💼 IAM in Practice – Use Cases #
10.1. EC2 Instance Role #
- Attach a role to EC2 to grant access to S3 or other services without credentials.
10.2. Cross-Account Role Access #
- Role created in Account A
- Trusted entity: Account B
- User in Account B assumes role to access Account A’s resources
10.3. Federated Access (SSO) #
- External identity provider (Google, ADFS) integrates via SAML or OIDC.
- IAM Role mapped to users/groups.
11. 🧾 Exam Tips and Summary #
✅ Key Points to Remember #
- IAM is global.
- Root account should never be used regularly.
- Roles are temporary, users are long-term.
- Policy evaluation logic: explicit deny always wins.
- Use IAM Access Analyzer to audit access.
- You can’t attach resource-based policies to all resources (e.g., EC2).
- Permissions boundaries control max permissions, not actual permissions.
- Identity federation allows SSO.
🔍 Common Exam Questions #
- Difference between IAM roles and users
- Policy evaluation logic
- Federated access vs cross-account roles
- Accessing AWS resources from EC2 securely
- Using IAM policies to restrict or allow actions on specific services or resources
📚 Final Notes #
Understanding IAM deeply is crucial for the AWS Solutions Architect Associate exam. IAM plays a foundational role in securing AWS workloads. Practice creating users, roles, and policies using the AWS Console and CLI.
