You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Introduction to AWS IAM
Introduction to AWS IAM
AWS Identity and Access Management (IAM) is the cornerstone of security in the AWS cloud. Every interaction with AWS — whether through the console, CLI, SDK, or API — passes through IAM. Understanding how IAM works is essential for anyone building on or administering AWS infrastructure.
What is IAM?
IAM is a global AWS service that lets you control who can do what in your AWS account. It provides authentication (proving who you are) and authorisation (determining what you are allowed to do). Unlike most AWS services, IAM is not region-specific — users, groups, roles, and policies you create in IAM are available across all AWS Regions.
IAM is provided free of charge. You pay only for the AWS resources your users consume, never for IAM itself.
Why IAM Matters
Without IAM, anyone with your AWS root account credentials would have unrestricted access to every service and every resource in your account. IAM lets you move from that single all-powerful identity to a fine-grained model where each person, application, or service gets exactly the permissions it needs — and nothing more.
Consider a typical organisation with developers, operations engineers, data analysts, and a finance team. Each group needs access to different AWS services:
| Team | Typical Access Needed |
|---|---|
| Developers | EC2, Lambda, S3, CodePipeline |
| Operations | CloudWatch, Systems Manager, EC2, VPC |
| Data Analysts | Athena, Redshift, S3 (read-only) |
| Finance | Billing console, Cost Explorer |
IAM enables you to model these different levels of access precisely.
Core IAM Components
IAM comprises several building blocks that work together:
1. Root User
When you first create an AWS account, you start with a single identity known as the root user. This user has complete, unrestricted access to all AWS services and resources. It is identified by the email address and password used to create the account.
Best practice: Never use the root user for everyday tasks. Instead, create individual IAM users and lock the root credentials away, protected by multi-factor authentication.
2. IAM Users
An IAM user represents a person or application that interacts with AWS. Each user has a unique name within the account and can have:
- Console access — a password for signing in to the AWS Management Console
- Programmatic access — an access key ID and secret access key for the CLI, SDKs, and APIs
3. IAM Groups
A group is a collection of IAM users. You attach policies to groups, and every user in the group inherits those permissions. Groups make it simple to manage permissions for teams.
4. IAM Policies
Policies are JSON documents that define permissions. They specify which actions are allowed or denied on which resources and under what conditions. Policies are the primary mechanism for authorisation in AWS.
5. IAM Roles
A role is an identity with specific permissions that can be assumed by anyone or anything that needs it — an IAM user in another account, an AWS service like EC2, or an external identity provider. Roles provide temporary security credentials rather than permanent ones.
How Authentication Works
When you make a request to AWS, the following happens:
- You present credentials — a username and password (console), an access key (CLI/API), or temporary credentials (role).
- AWS validates the credentials — it checks that the identity exists and the credentials are correct.
- AWS checks permissions — it evaluates all policies attached to the identity to decide whether the request should be allowed or denied.
- The request is allowed or denied — if authorised, AWS fulfils the request; otherwise, it returns an "Access Denied" error.
This process is the same regardless of whether the request comes from a person clicking a button in the console or from an application calling an API.
The Shared Responsibility Model and IAM
AWS operates under a shared responsibility model:
- AWS is responsible for security of the cloud — the physical infrastructure, networking hardware, and the IAM service itself.
- You are responsible for security in the cloud — creating users, defining policies, rotating credentials, and enabling MFA.
IAM sits at the boundary of this model. AWS keeps the IAM service running and secure, but how you configure it determines whether your account is protected or vulnerable.
IAM is Global
A critical point to understand is that IAM is a global service. When you create an IAM user or role, it is not scoped to a single region. That user or role can access resources in us-east-1, eu-west-2, ap-southeast-1, and every other region — subject to the policies you attach.
This is different from services like EC2 or RDS, where resources exist in a specific region. IAM entities live at the account level.
Key Terminology Summary
| Term | Definition |
|---|---|
| Principal | An entity (user, role, or service) that makes requests to AWS |
| Authentication | Verifying the identity of a principal |
| Authorisation | Determining whether a principal is allowed to perform a requested action |
| Policy | A JSON document defining permissions |
| ARN | Amazon Resource Name — a unique identifier for any AWS resource |
Summary
AWS IAM is the foundation of cloud security. It controls who can access your account, what they can do, and under what conditions. By understanding IAM's core components — users, groups, roles, and policies — you set the stage for building a secure, well-governed AWS environment. In the next lesson, we will dive deeper into IAM users and groups.