🔐 IAM & Security — Identity and Access Management#

Learning Objectives#

Understand IAM users, groups, roles, and policies
Implement least privilege and MFA
Design cross-account access patterns
Use IAM with AWS Organizations and SCPs

1. IAM Core Concepts#

1.1 What is IAM?#

AWS Identity and Access Management (IAM) lets you securely control access to AWS services and resources. It’s a global service — policies apply across all regions.

          ┌──────────────────────────────┐
          │          IAM (Global)         │
          │                              │
          │  ┌─────┐  ┌─────┐  ┌─────┐  │
          │  │Users│  │Groups│  │Roles│  │
          │  └──┬──┘  └──┬──┘  └──┬──┘  │
          │     │         │         │     │
          │  ┌──┴─────────┴─────────┴──┐ │
          │  │     Policies (JSON)      │ │
          │  └──────────────────────────┘ │
          └──────────────────────────────┘
                      │
         ┌────────────┴────────────┐
         │                         │
    ┌────┴─────┐            ┌──────┴──────┐
    │ AWS      │            │ External     │
    │ Services │            │ Identity     │
    │          │            │ (Cognito,    │
    │          │            │  SAML, LDAP) │
    └──────────┘            └─────────────┘

1.2 IAM Components#

Component	Description	Example
User	A person or service that needs access	`john.doe@example.com`
Group	Collection of users with same permissions	`Developers`, `Admins`
Role	Set of permissions assumed by a trusted entity	`EC2-S3-ReadOnly-Role`
Policy	JSON document defining permissions	`AmazonS3ReadOnlyAccess`

1.3 IAM Policy Structure#

{"Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-company-data-bucket/*",
        "arn:aws:s3:::my-company-data-bucket" ], "Condition": { "IpAddress": { "aws:SourceIp": "203.0.113.0/24" }
      }
    }
  ]
}

Policy Elements:

Element	Purpose
`Effect`	`Allow` or `Deny`
`Action`	Specific API actions (e.g., `s3:GetObject`)
`Resource`	ARN of the resource (e.g., `arn:aws:s3:::my-bucket/*`)
`Condition`	When the policy applies (IP, time, MFA, etc.)
`Principal`	Who the policy applies to (for resource-based policies)

⚡ Exam Tip: Explicit Deny always overrides Allow. If there’s no explicit Allow, access is denied by default.

1.4 IAM Policy Types#

Type	Attached To	Use Case
AWS Managed	Users, Groups, Roles	Pre-built by AWS (e.g., `AdministratorAccess`)
Customer Managed	Users, Groups, Roles	Your own reusable policies
Inline	Single user/group/role	One-off permissions (not reusable)
Resource-based	S3 Bucket, SQS Queue, etc.	Cross-account access, public access
Service Control (SCP)	AWS Org accounts	Boundary policies for accounts

1.5 IAM Roles — Deep Dive#

A role is an identity with permissions that can be assumed temporarily by:

AWS services (EC2, Lambda, etc.)
Users from another account
External identity providers (SAML, OIDC)

EC2 Role Use Case:

graph LR
    EC2["EC2 Instance"] --> IP["Instance Profile\n(attached to EC2)"]
    IP --> Role["IAM Role\nS3 ReadOnly"]
    Role --> S3["S3 Bucket"]

    style EC2 fill:#ff9900,color:#fff
    style Role fill:#527fff,color:#fff
    style S3 fill:#01ab5c,color:#fff

IAM Policy Evaluation Logic:

graph TD
    Request["AWS API Request\n(e.g., s3:GetObject)"]

    DenyEval{Is there an explicit DENY?}
    AllowEval{Is there an explicit ALLOW?}
    DefaultDeny["Default Implicit Deny\n❌ Access Denied"]
    ResultDeny["Explicit Deny wins\n❌ Access Denied"]
    ResultAllow["Access Allowed\n✅ Granted"]

    Request --> DenyEval
    DenyEval -- Yes --> ResultDeny
    DenyEval -- No --> AllowEval
    AllowEval -- Yes --> ResultAllow
    AllowEval -- No --> DefaultDeny

    style ResultDeny fill:#d33,color:#fff
    style ResultAllow fill:#1e8900,color:#fff
    style DefaultDeny fill:#888,color:#fff

⚡ Exam Tip: IAM evaluates all policies in this order: SCPs → Resource-based policies → Identity-based policies → Permission boundaries → Session policies. Explicit Deny always wins.

Create and Attach an IAM Role for EC2:

# Create IAM role for EC2
aws iam create-role --role-name EC2-S3-ReadOnly \
  --assume-role-policy-document file://trust-policy.json

# Attach S3 ReadOnly policy
aws iam attach-role-policy --role-name EC2-S3-ReadOnly \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

# Create instance profile and add role
aws iam create-instance-profile --instance-profile-name EC2-S3-Profile
aws iam add-role-to-instance-profile --instance-profile-name EC2-S3-Profile \
  --role-name EC2-S3-ReadOnly

2. Real-World Use Cases#

Use Case 1: Cross-Account Access#

Scenario: Your central security team needs read-only access to all S3 buckets across 5 AWS accounts.

Solution:

Create a role in each account with S3 ReadOnly access
Grant the security team’s IAM user in the central account permission to assume those roles
Users use aws sts assume-role to switch accounts

# Assume role in target account
aws sts assume-role \
  --role-arn "arn:aws:iam::TARGET_ACCOUNT:role/S3-ReadOnly-Role" \
  --role-session-name "audit-session"

Use Case 2: Federation with Corporate AD#

Scenario: 500 employees use Active Directory. You want them to access AWS using their existing credentials.

Solution: Set up IAM Identity Center (formerly AWS SSO) or SAML 2.0 federation with AD.

┌──────────────┐    SAML Assertion    ┌──────────────────┐
│   Corporate  │─────────────────────>│   AWS IAM        │
│   AD / Okta  │<─────────────────────│   (Identity      │
│              │    AWS Console URL   │    Provider)     │
└──────────────┘                      └────────┬─────────┘
                                               │
                                        Assume IAM Role
                                               │
                                               ▼
                                        ┌──────────────┐
                                        │ AWS Console  │
                                        │ (temporary   │
                                        │  credentials)│
                                        └──────────────┘

Use Case 3: S3 Bucket Policies for Cross-Account Access#

Scenario: Your analytics team (Account B) needs to write data to a bucket in Account A.

Solution: Use a resource-based policy (S3 bucket policy) in Account A:

{"Version": "2012-10-17",
  "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_B:root" },
      "Action": [
        "s3:PutObject",
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::shared-data-bucket/*"
    }
  ]
}

3. Security Best Practices#

3.1 IAM Best Practices#

Practice	Implementation
Root account MFA	Enable MFA on root account immediately
Least privilege	Start with minimal permissions, add as needed
Use roles for EC2	Never store AWS keys on EC2 — use IAM roles
Password policy	Enforce complexity, rotation, MFA
Access keys rotation	Rotate every 90 days
CloudTrail	Enable for auditing all API calls

3.2 AWS Organizations & SCPs#

Service Control Policies (SCPs):

Apply to entire accounts in an organization
Set permission boundaries (what accounts can do)
Even root user is restricted by SCPs

┌──────────────────────────────────────┐
│        AWS Organization              │
│                                      │
│  SCP: "Cannot delete CloudTrail"     │
│                                      │
│  ┌──────────────────────────────┐    │
│  │   Production Account         │    │
│  │   IAM Policy: "Allow all"    │    │
│  │   But SCP denies delete      │    │
│  │   CloudTrail → Cannot delete │    │
│  └──────────────────────────────┘    │
└──────────────────────────────────────┘

3.3 IAM Permission Boundaries#

Sets the maximum permissions a user/role can have:

{"Version": "2012-10-17",
  "Statement": [ { "Effect": "Allow", "Action": ["ec2:*"], "Resource": "*" }
  ]
}

Even if a user gets AdministratorAccess attached, they can only perform EC2 actions within the boundary.

3.4 IAM Access Analyzer#

Analyzes resource policies to identify unintended public access
Reports cross-account access that might be insecure
Supports S3, KMS, SQS, Secrets Manager, Lambda

4. ⚡ Exam Tips#

IAM is global — no region selection needed
Roles vs Users — Use roles for services, users for people
Trust Policy + Permissions Policy = Full role definition
Explicit Deny always wins over Allow
SCPs restrict ALL users including root
Permission boundaries limit max permissions
IAM Access Analyzer for identifying public access
STS (Security Token Service) for temporary credentials using AssumeRole
IAM Identity Center is the new AWS SSO — for managing access across multiple accounts
Resource-based policies allow cross-account access without IAM roles

✅ Chapter Quiz#

Which IAM component is best for granting an EC2 instance access to S3?
- A) IAM User
- B) IAM Group
- C) IAM Role
- D) IAM Policy
True or False: An explicit Deny in an SCP can be overridden by an Allow in an IAM policy.
- A) True
- B) False
Which AWS service provides temporary credentials for cross-account access?
- A) IAM
- B) STS
- C) KMS
- D) Cognito
What does an IAM Permission Boundary do?
- A) Allows all actions by default
- B) Sets the maximum permissions a user/role can have
- C) Prevents root account access
- D) Enables MFA
An S3 bucket policy is an example of what type of policy?
- A) Identity-based
- B) Resource-based
- C) Service Control
- D) Permission Boundary
A company wants to rotate IAM access keys automatically for all users. What is the MOST effective way to detect and remediate keys older than 90 days?
- A) Use AWS Config with a managed rule and auto-remediation
- B) Manually review IAM users each month
- C) Enable CloudTrail to log key usage
- D) Use IAM Access Analyzer to find unused keys
Which IAM feature allows you to delegate access to an AWS service (e.g., EC2) to perform actions on your behalf?
- A) IAM Group
- B) IAM Role
- C) IAM Policy
- D) MFA Device
A company’s security policy requires that all access to production resources must be approved by a manager. Which IAM feature supports this requirement?
- A) IAM Groups
- B) IAM Permissions Boundaries
- C) IAM Access Analyzer
- D) IAM policies do not support approval workflows; use AWS Config instead
Which AWS service provides a managed directory service that can be integrated with IAM for single sign-on to AWS accounts?
- A) Cognito
- B) IAM Identity Center (AWS SSO)
- C) Directory Service (Simple AD)
- D) Secrets Manager
A company stores sensitive data in S3. They need to generate a detailed report of all S3 bucket permissions and identify buckets that are shared with external accounts. Which service provides this report?
- A) GuardDuty
- B) IAM Access Analyzer
- C) AWS Config
- D) Trusted Advisor
A company wants to enforce that all IAM users use MFA when accessing the AWS Management Console. Which IAM policy condition key should be used?
- A) aws:SourceIp
- B) aws:MultiFactorAuthPresent
- C) aws:RequestedRegion
- D) aws:PrincipalArn
An application running on EC2 needs to read data from DynamoDB without storing long-term credentials on the instance. What should the solutions architect do?
- A) Generate access keys and store them in a configuration file on the instance
- B) Create an IAM role with DynamoDB read permissions and attach it to the EC2 instance profile
- C) Use EC2 user data to configure AWS CLI with access keys
- D) Store credentials in an environment variable in the AMI
A company uses AWS Organizations and wants to prevent all member accounts from disabling CloudTrail or deleting CloudTrail trails. Which approach should be used?
- A) Apply an IAM permissions boundary to each member account
- B) Apply a Service Control Policy (SCP) at the organization root
- C) Create an IAM group with a Deny policy and add all users
- D) Enable IAM Access Analyzer
An S3 bucket policy that grants cross-account access is an example of which type of policy?
- A) Identity-based policy
- B) Resource-based policy
- C) Service Control Policy
- D) Permissions boundary
A solutions architect needs to grant a contractor time-limited access to a specific S3 bucket. What is the MOST secure approach?
- A) Create an IAM user with long-term credentials and delete the user after 24 hours
- B) Use an IAM role with AWS STS AssumeRole to provide temporary credentials
- C) Share the bucket access keys with the contractor
- D) Create a bucket policy allowing public access
What is the primary purpose of IAM Access Analyzer?
- A) To analyze IAM user sign-in patterns
- B) To identify resources shared with external entities
- C) To monitor API call latency
- D) To generate IAM credential reports
A company has multiple AWS accounts and wants to allow a user in Account A to access an S3 bucket in Account B. Which steps are required? (Select TWO)
- A) Create a VPC peering connection between the accounts
- B) Create an IAM role in Account B with a trust policy allowing Account A to assume it
- C) Attach an IAM policy to the user in Account A that allows sts:AssumeRole for the role in Account B
- D) Configure a Direct Connect connection between the accounts
- E) Enable cross-account billing
Which elements are required in an IAM policy document? (Select TWO)
- A) Version
- B) Statement
- C) Condition
- D) Principal
- E) Sid
A company wants to ensure that IAM roles in the developer account cannot perform actions beyond Amazon EC2 and S3, even if an administrator attaches a broader policy. What should be configured?
- A) An SCP at the AWS Organizations root level
- B) An IAM permissions boundary on the roles
- C) An IAM group policy
- D) AWS IAM password policy
A security team discovers that several IAM users have access keys that have not been rotated in over 2 years. How can the team automate the detection and enforcement of access key rotation?
- A) Use AWS Config managed rules with auto-remediation
- B) Use IAM Access Analyzer
- C) Use AWS CloudTrail to monitor key age
- D) Enable MFA on the root account
An application running on EC2 needs to stream logs to Amazon CloudWatch Logs. What must be configured to grant this permission securely?
- A) A CloudWatch Logs subscription filter
- B) An IAM role with CloudWatch Logs permissions attached to the EC2 instance profile
- C) AWS access keys in the application configuration file
- D) A security group rule allowing outbound traffic to CloudWatch
What is the purpose of an IAM role’s trust policy?
- A) To define which API actions the role is allowed to perform
- B) To define which principals are allowed to assume the role
- C) To define the resource ARNs the role can access
- D) To set the session duration for temporary credentials
A company wants to allow developers to launch only t3.micro EC2 instances to control costs. Which IAM feature should be used?
- A) An IAM policy with a condition key checking ec2:InstanceType
- B) An IAM group policy that denies all RunInstances actions
- C) A Service Control Policy applied at the OU level
- D) An IAM permissions boundary set to t3.micro only
Which statement is true about IAM roles?
- A) Roles use long-term credentials that do not expire
- B) Roles provide temporary security credentials that expire
- C) Roles can only be assumed by AWS services
- D) Roles are tied to a specific AWS region
A solutions architect needs to grant an AWS Lambda function permission to write objects to an S3 bucket. What is the correct approach?
- A) Store AWS access keys in Lambda environment variables
- B) Create an IAM execution role for Lambda with the required S3 permissions
- C) Attach an IAM role to the Lambda function’s VPC configuration
- D) Configure the S3 bucket policy to allow anonymous writes

📝 Answer Key

C — IAM Role assumed via instance profile. Never store keys on EC2.
B — False. Explicit Deny always overrides Allow, even SCP Deny.
B — AWS STS (Security Token Service) provides temporary credentials.
B — It sets the maximum permissions boundary.
B — Resource-based policy is attached to the resource (S3 bucket), not an identity.
A — AWS Config with the iam-user-unused-keys-cleared rule detects and auto-remediates old keys.
B — IAM Roles are designed to be assumed by AWS services to perform actions on your behalf.
C — IAM Access Analyzer generates findings when resources are shared outside your account boundary.
B — IAM Identity Center (AWS SSO) provides single sign-on across AWS accounts and applications.
B — IAM Access Analyzer generates a report of S3 bucket permissions shared with external entities.
B — aws:MultiFactorAuthPresent checks whether MFA was used. Deny access when MFA is not present.
B — An IAM role attached to an EC2 instance profile provides temporary credentials without storing long-term keys.
B — SCPs set permission boundaries for all accounts in AWS Organizations, restricting even root users.
B — A resource-based policy is attached directly to the resource (S3 bucket), enabling cross-account access.
B — STS AssumeRole provides temporary credentials that expire automatically, minimizing security exposure.
B — IAM Access Analyzer identifies resources shared with external entities outside the organization.
B, C — Create a role in Account B with trust policy, and an IAM policy in Account A allowing AssumeRole.
A, B — Version (specifying policy language version) and Statement (containing policy details) are required.
B — An IAM permissions boundary sets the maximum permissions an IAM role can have.
A — AWS Config rules can detect keys older than 90 days and trigger automated remediation.
B — An IAM role with CloudWatch Logs permissions attached to the instance profile grants secure access.
B — The trust policy specifies which principals (accounts, services, or federated users) can assume the role.
A — An IAM policy with a condition on ec2:InstanceType restricts which instance types can be launched.
B — IAM roles use AWS STS to provide temporary security credentials that automatically expire.
B — Lambda execution roles grant the function the necessary permissions to access AWS services.

📚 Additional Resources#

Next → S3 & Storage