Identity and Access Management (IAM) in Amazon Web Services (AWS)
Last Updated :
02 Aug, 2025
AWS Identity and Access Management (IAM) is a security service in Amazon Web Services that enables you to securely control access to AWS resources. With IAM, you can create and manage users, groups, roles, and permissions, ensuring that only authorized identities can perform specific actions in your AWS environment.
Use Cases of IAM
IAM plays a critical role in securing and organizing access to your AWS infrastructure. Below are some real-world scenarios:
1. User and Group Management
IAM allows you to create individual users (e.g., developers, admins) and organize them into groups (e.g., DevTeam, Admins). You can assign specific permissions based on roles or responsibilities.
Example:
Create a group DevTeam and assign it read-only access to S3 buckets. All developers in the group inherit these permissions automatically.
2. Enhanced Security (Least Privilege Access)
IAM enforces the principle of least privilege users are granted only the permissions necessary for their tasks, reducing the risk of misconfiguration or abuse.
Example:
An intern in the DevOps team is only allowed to start and stop EC2 instances, but cannot terminate them, ensuring critical infrastructure remains protected.
3. Access Management for Resources
IAM enables fine-grained control over who can view, create, edit, or delete specific resources.
Example:
A project manager is granted access to view CloudWatch dashboards but is restricted from modifying EC2 or RDS resources.
IAM supports MFA to add an extra layer of protection. Users must provide a time-based one-time password (OTP) along with their primary credentials.
Example:
The root user account is protected by MFA, so even if the password is compromised, unauthorized access is blocked without the OTP.
Working of IAM
IAM works by verifying whether a user or service is authorized to access a specific AWS resource. It checks the identity making the request and evaluates the attached permissions to determine if the action is allowed.
IAM WorkingExample: EC2 Access to S3
You want an EC2 instance to upload files to a specific S3 bucket:
- Creating an IAM Role with
s3:GetObject and s3:PutObject permissions. - Attaching that role to the EC2 instance.
- IAM evaluates the request and allows access if the permissions match.
This scenario maps directly to the image:
IAM Policy Snippet:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::my-team-uploads/*"
}
]
}This example shows how IAM enables secure, role-based, and limited access, just like the "Who → Can Access → What" flow in the image.
Core Components of IAM
IAM enables centralized identity and access control in AWS. Let’s explore its core components:
IAM Identities
IAM identities define who can access AWS and what they are allowed to do. These identities include:
1. Root User
- The default user created when an AWS account is set up.
- It has full administrative access and should be protected with MFA.
- For daily operations, you should create admin-level IAM users instead.
2. IAM Users
- These are individual accounts for people or services that need access to AWS.
- Permissions are assigned via policies.
Example:
User user-1 is given read-only access to EC2 but cannot create, modify, or delete instances.
3. IAM Groups
- A group is a collection of IAM users. .
- Simplifies access management.
Example:
Users user-1 and user-2 are added to a group AutoScalingAdmins:
user-1 gets access only to modify Auto Scaling groups.user-2 gets broader permissions including EC2 management.
4. IAM Roles
- Temporary permissions assumed by AWS services or users.
- Commonly used for service-to-service communication.
Example:
Amazon EKS needs permission to scale EC2 instances. You create a role with EC2 permissions, then attach it to the EKS cluster.
IAM Policies
IAM Policies define what actions identities can perform on which resources. Written in JSON, each policy consists of:
- Effect: Allow or Deny
- Action: AWS service operations (e.g.,
s3:GetObject) - Resource: Specific resources (e.g., an S3 bucket)
A user, group, or role can have multiple policies attached to define permissions.
Similar Reads
DevOps Tutorial DevOps is a combination of two words: "Development" and "Operations." It’s a modern approach where software developers and software operations teams work together throughout the entire software life cycle.The goals of DevOps are:Faster and continuous software releases.Reduces manual errors through a
7 min read
Introduction
What is DevOps ?DevOps is a modern way of working in software development in which the development team (who writes the code and builds the software) and the operations team (which sets up, runs, and manages the software) work together as a single team.Before DevOps, the development and operations teams worked sepa
10 min read
DevOps LifecycleThe DevOps lifecycle is a structured approach that integrates development (Dev) and operations (Ops) teams to streamline software delivery. It focuses on collaboration, automation, and continuous feedback across key phases planning, coding, building, testing, releasing, deploying, operating, and mon
10 min read
The Evolution of DevOps - 3 Major Trends for FutureDevOps is a software engineering culture and practice that aims to unify software development and operations. It is an approach to software development that emphasizes collaboration, communication, and integration between software developers and IT operations. DevOps has come a long way since its in
7 min read
Version Control
Continuous Integration (CI) & Continuous Deployment (CD)
Containerization
Orchestration
Infrastructure as Code (IaC)
Monitoring and Logging
Microsoft Teams vs Slack Both Microsoft Teams and Slack are the communication channels used by organizations to communicate with their employees. Microsoft Teams was developed in 2017 whereas Slack was created in 2013. Microsoft Teams is mainly used in large organizations and is integrated with Office 365 enhancing the feat
4 min read
Security in DevOps