Open In App

Identity and Access Management (IAM) in Amazon Web Services (AWS)

Last Updated : 02 Aug, 2025
Comments
Improve
Suggest changes
Like Article
Like
Report

AWS Identity and Access Management (IAM) is a security service in Amazon Web Services that enables you to securely control access to AWS resources. With IAM, you can create and manage users, groups, roles, and permissions, ensuring that only authorized identities can perform specific actions in your AWS environment.

IAM-

Use Cases of IAM

IAM plays a critical role in securing and organizing access to your AWS infrastructure. Below are some real-world scenarios:

1. User and Group Management

IAM allows you to create individual users (e.g., developers, admins) and organize them into groups (e.g., DevTeam, Admins). You can assign specific permissions based on roles or responsibilities.

Example:
Create a group DevTeam and assign it read-only access to S3 buckets. All developers in the group inherit these permissions automatically.

2. Enhanced Security (Least Privilege Access)

IAM enforces the principle of least privilege users are granted only the permissions necessary for their tasks, reducing the risk of misconfiguration or abuse.

Example:
An intern in the DevOps team is only allowed to start and stop EC2 instances, but cannot terminate them, ensuring critical infrastructure remains protected.

3. Access Management for Resources

IAM enables fine-grained control over who can view, create, edit, or delete specific resources.

Example:
A project manager is granted access to view CloudWatch dashboards but is restricted from modifying EC2 or RDS resources.

4. Multi-Factor Authentication (MFA) for Extra Security

IAM supports MFA to add an extra layer of protection. Users must provide a time-based one-time password (OTP) along with their primary credentials.

Example:
The root user account is protected by MFA, so even if the password is compromised, unauthorized access is blocked without the OTP.

Working of IAM

IAM works by verifying whether a user or service is authorized to access a specific AWS resource. It checks the identity making the request and evaluates the attached permissions to determine if the action is allowed.

IAM Work Flow
IAM Working

Example: EC2 Access to S3
You want an EC2 instance to upload files to a specific S3 bucket:

  • Creating an IAM Role with s3:GetObject and s3:PutObject permissions.
  • Attaching that role to the EC2 instance.
  • IAM evaluates the request and allows access if the permissions match.

This scenario maps directly to the image:

IAM Policy Snippet:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-team-uploads/*"
    }
  ]
}

This example shows how IAM enables secure, role-based, and limited access, just like the "Who → Can Access → What" flow in the image.

Core Components of IAM

7

IAM enables centralized identity and access control in AWS. Let’s explore its core components:

IAM Identities

IAM identities define who can access AWS and what they are allowed to do. These identities include:

1. Root User

  • The default user created when an AWS account is set up.
  • It has full administrative access and should be protected with MFA.
  • For daily operations, you should create admin-level IAM users instead.

2. IAM Users

  • These are individual accounts for people or services that need access to AWS.
  • Permissions are assigned via policies.

Example:
User user-1 is given read-only access to EC2 but cannot create, modify, or delete instances.

3. IAM Groups

  • A group is a collection of IAM users. .
  • Simplifies access management.

Example:
Users user-1 and user-2 are added to a group AutoScalingAdmins:

  • user-1 gets access only to modify Auto Scaling groups.
  • user-2 gets broader permissions including EC2 management.

4. IAM Roles

  • Temporary permissions assumed by AWS services or users.
  • Commonly used for service-to-service communication.

Example:
Amazon EKS needs permission to scale EC2 instances. You create a role with EC2 permissions, then attach it to the EKS cluster.

IAM Policies

IAM Policies define what actions identities can perform on which resources. Written in JSON, each policy consists of:

  • Effect: Allow or Deny
  • Action: AWS service operations (e.g., s3:GetObject)
  • Resource: Specific resources (e.g., an S3 bucket)

A user, group, or role can have multiple policies attached to define permissions.


Article Tags :

Similar Reads