Day-2 | What is IAM?
IAM is an AWS service that helps you securely control access to AWS resources.
๐ In simple words:
Who can access AWS + What they can do
Core IAM Components
1๏ธโฃ IAM Users
Represents a person or application
Has login credentials
Example:
bipul-admin,jenkins-user
2๏ธโฃ IAM Groups
Collection of users
Permissions assigned once to the group
Example:
DevOps-Team,ReadOnly-Users
3๏ธโฃ IAM Policies
JSON documents that define permissions
Example:
Copy
Copy
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "*"
}
IAM Best Practices (Interview + Real Work)
โ Never use root user
โ Enable MFA
โ Follow Least Privilege
โ Use Roles instead of access keys
โ Rotate credentials regularly
Hands-on Task (Do This Today)
Login to AWS Console
Go to IAM
Create:
One IAM User (test-user-221)
One IAM Group (bipul-cloud-admin):-
Click on User groups
Created User Groups :- Note no default policy added.
Attach AmazonS3ReadOnlyAccess:-
Click on users(bipul-cloud-admin) , then goto Permission, and click Add permission:-
Search for AmazonS3ReadOnlyAccess and select.
Add the user to the group
Before adding user to group
After adding user to group
AWS IAM Deep Dive: Users, Groups, Roles, and Policies
Identity and Access Management (IAM) is the security backbone of AWS. Every action in AWS is evaluated through IAM before it is allowed or denied. Understanding IAM deeply is critical for Cloud, DevOps, and SRE roles.
1. IAM Users
What is an IAM User?
An IAM User represents a human or application identity that interacts with AWS.
Key Characteristics
Has long-term credentials (password or access keys)
Can access AWS Console, CLI, or API
Permissions are assigned directly or via groups
When to Use IAM Users
Individual engineers accessing AWS
Third-party tools needing limited access (temporary use)
Best Practices
โ Avoid attaching policies directly to users
โ Use Groups for permission management
โ Enable MFA for console access.
2. IAM Groups
What is an IAM Group?
A Group is a collection of IAM Users. Permissions are assigned to the group and inherited by all users inside it.
Why Groups Matter
Simplifies permission management
Ensures consistency across users
Easy onboarding/offboarding
Example Use Case
DevOps-Teamโ EC2, S3, CloudWatch accessReadOnly-Teamโ View-only access
Real-World Tip
When a user changes roles (e.g., Dev โ SRE), you simply change their group membership.
3. IAM Policies (MOST IMPORTANT)
What is an IAM Policy?
A policy is a JSON document that defines permissions.
Policy Structure
Copy
Copy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Key Elements Explained
Effect: Allow or Deny
Action: What API calls are allowed/denied
Resource: On which AWS resource
Condition (optional): Extra security rules
Types of Policies
AWS Managed Policies โ Created by AWS
Customer Managed Policies โ Created by you (recommended)
Inline Policies โ Attached to a single identity (avoid)
Best Practice
โ Use Customer Managed Policies for better control and reuse
4. IAM Roles (CRITICAL FOR DEVOPS & SRE)
What is an IAM Role?
A Role is an IAM identity assumed temporarily by AWS services or users.
Key Differences: User vs Role
| IAM User | IAM Role |
| Long-term credentials | Temporary credentials |
| Used by humans | Used by services |
| Needs access keys | No access keys |
Common Role Use Cases
EC2 accessing S3
Lambda writing logs to CloudWatch
Jenkins deploying to AWS
Cross-account access
Example: EC2 Accessing S3
Create IAM Role
Attach S3 policy
Attach role to EC2
EC2 accesses S3 without credentials
5. IAM Permission Evaluation Logic
When a request is made:
AWS checks explicit DENY โ (highest priority)
Then checks explicit ALLOW โ
If nothing matches โ Implicit DENY
โ ๏ธ One DENY overrides multiple ALLOWs.
6. IAM Best Practices Summary
โ Use Roles instead of access keys โ Follow least privilege principle โ Enable MFA โ Use Groups for users โ Rotate credentials โ Audit with IAM Access Analyzer
7. Real-World DevOps Mapping
EC2 + S3 โ IAM Role
Jenkins CI/CD โ IAM Role + Policy
Kubernetes (EKS) โ IAM Role for Service Accounts
Monitoring โ Read-only IAM policies.