Amazon IAM

AWS Identity and Access Management (IAM)

IAM manages permission for AWS resources and not the applications deployed to them.

IAM Controlled through

  • Console
  • CLI
  • SDK


An IAM entity that is allowed to interact with AWS resources

  • permanent or temporary
  • human or application


ROOT user

The first AWS account

IAM user

Persistent identities setup in the IAM service to represent people

ROLES/Temporary Security  Tokens

used to grant specific privileges to specific actors for a set duration of time

Use Cases:

  • EC2 Roles
  • Cross Account Access
  • Federation (trusted authentication system)

Amazon EC2 Roles

  • Grant the role to the resource
  • assign the role to the actor that is accessing the resource
  • Actor (Application) gets token to send to the API without worry about authentication

Cross Account Access

  • granting IAM users access to AWS resources in another AWS account


  • Identity, repository outside AWS
  • Two types
    • OpenID (Facebook, Google, etc)
    • Security Assertion Markup Language 2.0 (SAML) (AD, LDAP, etc)


  • authenticate a principal
  • username//password
  • access key
  • access key / session token
    • when under and assumed role


  • after authentication, IAM must manage access of the principal
  • Policies
    • JSON doc fully defines set of permissions to access and manipulate AWS resources

Defining Permissions

  • Effect (Allow, Deny)
  • Service
  • Resource (ARN)
  • Action (Get, Put, List, Delete, etc)
  • Condition
    • everything (*) or specific item such as IP
    • defines restrictions that limit the  action

Associating Policies with Principals

associate directly with an IAM User

  • user policy
    • entered on the console on the IAM user page
  • manged policy
    • exist independently of users
    • can be associated to many  user and group
  1. Assign policies to groups
  2. Assign users to groups
    1. these two rules will simplify management of users
  • group policy
    • assigned to groups

Multi-Factor Authentication (MFA)

extra layer of security

Rotating Keys

rotate access keys

Resolving Multiple permissions

  1. initially denied request
  2. all policies evaluated
    1. explicit deny will deny request
  3. no  explicit deny but explicit allow
    1. request is allowed
  4. no explicit allow or deny
    1. request is denied
  5. Exception:  AssumeRole ( is a role and a policy )
    1. Policy cannot override any permission that is denied by default in the role