Back to Notes

IAM

IAM — Identity and Access Management

  • Global service — IAM is not region-specific
  • Root account is created by default — never share it, never use it for daily tasks
  • Users are people within your organization and can be grouped
  • Groups contain users only — groups cannot contain other groups
  • A user doesn't have to belong to a group; one user can be part of multiple groups

Permissions

  • Users or groups are assigned JSON documents called policies
  • Policies define what actions are allowed or denied on which resources
  • Least Privilege Principle — never give more permissions than needed

IAM Policies

Inheritance

  • A user inherits all policies from every group they belong to
  • A user with no group can have policies attached directly — called an inline policy

Policy Document Structure

{
  "Version": "2012-10-17",
  "Id": "optional-identifier",
  "Statement": [
    {
      "Sid": "optional-statement-id",
      "Effect": "Allow",
      "Principal": "account/user/role this applies to",
      "Action": ["s3:GetObject"],
      "Resource": ["arn:aws:s3:::my-bucket/*"],
      "Condition": {}
    }
  ]
}
FieldRequiredDescription
VersionYesPolicy language version (2012-10-17)
IdNoIdentifier for the policy
StatementYesOne or more permission statements
SidNoIdentifier for a single statement
EffectYesAllow or Deny
PrincipalYes*Who the policy applies to (*not needed for identity-based policies)
ActionYesList of API actions (e.g. s3:GetObject)
ResourceYesARNs of resources the action applies to
ConditionNoWhen the policy is in effect

IAM Roles

  • Roles are for AWS services, not humans — EC2, Lambda, etc. assume roles to get permissions
  • Never hardcode access keys in EC2/Lambda — attach an IAM role instead
  • STS AssumeRole — allows a user or service to temporarily assume another role's permissions
  • Common use cases: EC2 accessing S3, Lambda writing to DynamoDB, cross-account access

Password Policy

  • Set minimum password length
  • Require specific character types (uppercase, numbers, symbols)
  • Allow IAM users to change their own passwords
  • Force password expiration after N days
  • Prevent password reuse

MFA — Multi-Factor Authentication

  • Protects root account and IAM users — MFA = password + physical/virtual device
  • Always enable MFA on root account
MFA TypeNotes
Virtual MFA (Google Authenticator, Authy)Multiple tokens on one device
Universal 2nd Factor (U2F) Security KeyOne key for multiple users
Hardware Key FobPhysical device
Hardware Key Fob (GovCloud)US GovCloud only

Access Keys

Three ways to access AWS:

MethodProtected by
AWS Management ConsolePassword + MFA
AWS CLIAccess Key
AWS SDKAccess Key
  • Access keys are generated via the AWS Console
  • Each user manages their own access keys
  • Never share access keys — treat like passwords
  • Rotate access keys regularly

Key Exam Points (MLA-C01)

  • IAM is global — not tied to a region
  • Root account → lock it away, use IAM users/roles for everything
  • Roles > Access Keys for AWS service-to-service communication
  • Inline policy = attached directly to one user/group/role (not reusable)
  • Effect: Deny always wins over Effect: Allow