What you need to know about Amazon’s IAM Service

What you need to know about Amazon’s IAM Service

Introduction to Amazon IAM

Play this article


In today’s digital world security is of paramount importance. In order to have a truly proactive defense against malicious actors you need a layered approach. The beauty of the cloud is that part of this is abstracted away by the cloud provider. Both your organization and Amazon’s responsibilities are explained under Amazon’s shared responsibility model. Things like the physical servers, the data center, etc. fall to Amazon. Today we’re going to look at some of the ways to handle your responsibilities in the model. Introducing Amazon’s IAM service. IAM is an acronym for Identity Access Management and is a service that allows you to securely control and manage your resources on the AWS cloud.

What is it and how it works?

IAM service works across all AWS services and gives you the power to allow or deny access to your services and resources. Through the use of “policies” IAM web service administers permissions for your organization. Permissions should be allocated following the principle of least privilege. Least Privilege is bestowing only those permissions required to perform a task. IAM accomplishes this with these features: Granular permissions, multi-factor authentication (MFA), PCI DSS Compliance, Identity federation, etc. IAM allows for creating entities called Users, Roles and Groups to which permission can be added. IAM web service is free to use. It can be accessed in the same ways as most AWS services namely AWS Management Console, AWS Command Tools, AWS SDKs and the IAM HTTPS API.

IAM User

A User is an entity that can interact with AWS services and resources. Every IAM User is associated with one AWS account. A User can be thought of as equivalent to one real world person or a workload using an AWS service. Permissions must be added for Users to perform tasks. You can also take the approach of adding Users to Groups and attaching permissions to those Groups (This is best practice). Users can be moved between groups as a member of your organization may transition between teams. Best practices advise you to give human users temporary credentials for specific tasks through federation with an identity provider. All IAM users are made up of a name and credentials. Depending on how a user’s credentials are set up will determines how it will access AWS. The different ways include access keys, console passwords, server certificates, or ssh keys for codecommit. Also, take note that by default a user has no permission.

IAM Groups

An IAM group is a collection of users. Users can belong to multiple groups. Groups can’t be nested. Groups make managing permissions a lot easier. There aren’t any default user groups. IAM groups can have Identity-based policies.

IAM Roles

IAM roles are similar to IAM users except that roles are to be assumed by anyone. Roles provide temporary credentials instead of permanent credentials. You can use roles to delegate access to resources. Roles can be used together as role chaining where you use a role to assume a second role through the AWS CLI or API. Roles can be used for Federation which is the creation of a trust relationship between an AWS and an external identity provider. IAM roles can use a Trust policy a JSON policy document used to define the principals that you trust to assume the role. There is also a Permissions policy which is a JSON document you use to define what actions and resources the role can use. Permissions policies are written according to the rules of the IAM policy language. Principal is also an important concept and is the entity that can be an AWS account root user, an IAM user, or a role. Roles can be used to cross-account access.

AWS Identity and Access Management Access Analyzer

Access Analyzer helps you identify the resources in your organization and accounts that are shared with an external entity. If you enable Access Analyzer, you create an analyzer for your entire organization or your account. IAM Access Analyzer analyzes various resource types. Access Analyzer will generate reports of its findings. You can validate policies using Access Analyzer policy checks. Validation check findings can include security warnings, errors, general warnings, and suggestions for your policy


IAM is a super important service to help you control access to your resources and manage credentials. Its proper implantation in your architecture is a must and a requirement for working with AWS in the cloud. Hopefully, this article gives you the basics needed to dive deeper into the documentation.