IAM & Security

Duration: 50 min

AWS Identity and Access Management (IAM) is the foundation of AWS security. It controls who can access what resources and what actions they can perform. Understanding IAM is critical for securing your AWS environment and following the principle of least privilege.

IAM Core Concepts

Users are individual identities with unique credentials. Each user can have programmatic access (access keys) and/or console access (password).

Groups are collections of users with shared permissions. Instead of assigning policies to individual users, you assign them to groups for easier management.

Roles are assumed identities with temporary credentials. Services like EC2 or Lambda assume roles to access other AWS resources. Roles are also used for cross-account access.

Policies are JSON documents defining permissions. They specify which actions are allowed or denied on which resources. Policies can be attached to users, groups, or roles.

Principle of Least Privilege

Grant users only the minimum permissions needed to perform their job. This reduces the blast radius if credentials are compromised. Start restrictive and add permissions as needed.

MFA and Security Best Practices

Multi-Factor Authentication (MFA) adds a second verification layer. Even if a password is compromised, an attacker needs the MFA device. Enable MFA for all users, especially those with administrative access.

Never use the root account for daily work. Create IAM users with specific permissions instead. Root account has unrestricted access and should only be used for account setup and emergency situations.

Hands-On: Create IAM User and Policy

Create a new IAM user:

aws iam create-user --user-name developer-user

Create an access key for programmatic access:

aws iam create-access-key --user-name developer-user

Attach a managed policy (S3 read-only):

aws iam attach-user-policy --user-name developer-user \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Create a custom inline policy:

aws iam put-user-policy --user-name developer-user \
  --policy-name s3-specific-bucket \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "arn:aws:s3:::my-bucket/*"
      }
    ]
  }'

List user policies:

aws iam list-user-policies --user-name developer-user

IAM Roles for Services

Create a role for EC2 to access S3:

aws iam create-role --role-name ec2-s3-access \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {"Service": "ec2.amazonaws.com"},
        "Action": "sts:AssumeRole"
      }
    ]
  }'

Attach policy to role:

aws iam attach-role-policy --role-name ec2-s3-access \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess

Python Boto3 Example

import boto3

iam = boto3.client('iam')

# Create user
iam.create_user(UserName='app-user')

# Create access key
response = iam.create_access_key(UserName='app-user')
print(f"Access Key: {response['AccessKey']['AccessKeyId']}")

# Attach policy
iam.attach_user_policy(
    UserName='app-user',
    PolicyArn='arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess'
)

Quiz 1

❓ What is the principle of least privilege?

Grant all permissions to all users Grant permissions only to administrators Grant only minimum permissions needed for the job Never grant any permissions

Quiz 2

❓ What is the purpose of IAM Roles?

To provide temporary credentials for services and cross-account access To store passwords securely To manage billing To create backups

Quiz 3

❓ When should you use the AWS root account?

For daily administrative tasks Only for account setup and emergency situations Never use it For all development work

Quiz 4

❓ What does MFA provide?

Encryption of data Automatic backups A second layer of authentication verification Cost reduction

Quiz 5

❓ What is an IAM Group used for?

To manage permissions for multiple users collectively To store encrypted data To create virtual machines To manage billing