AWS Identity and Access Management (IAM) is fundamental to securing your cloud resources. This guide breaks down the essential concepts and components of IAM, helping you understand how to implement secure access controls in your AWS environment.
Core IAM Primitives
IAM is built on three fundamental building blocks that work together to provide secure access management:
| Primitive | Description | Key Points |
|---|---|---|
| User | An identity representing an individual or system | • Can be human or machine • Has permanent long-term credentials • Can belong to multiple groups |
| Role | A temporary identity with defined permissions | • Used for temporary access • No permanent credentials • Commonly used by applications and services |
| Policy | A document defining permissions | • Specifies allowed/denied actions • Written in JSON • Can be attached to users, roles, or resources |
Understanding IAM Policies
Policy Types
1. Identity-based Policies
These policies are attached directly to IAM identities (users, groups, or roles) and specify what actions those identities can perform.
-
Inline Policies
- Embedded directly in a single user, group, or role
- Cannot be reused across multiple identities
- Useful for exceptional cases or one-off permissions
- More difficult to manage at scale
-
Managed Policies
- Stand-alone policy objects that can be attached to multiple identities
- Two subtypes:
- AWS Managed: Created and maintained by AWS
- Customer Managed: Created and maintained by you
2. Resource-based Policies
Attached directly to resources (like S3 buckets or Lambda functions) to define who can access them and what actions they can perform.
Policy Evaluation Fundamentals
-
Default Deny Principle
- All access is denied by default
- Access must be explicitly granted through policies
- Provides a secure foundation for access control
-
Policy Evaluation Logic
- Multiple policies are evaluated together
- The final permission is determined by combining all applicable policies
- Important rule: An explicit DENY always overrides any ALLOW
-
Wildcard Usage
- Wildcards (
*) can represent multiple characters - Example:
s3:*represents all S3 actions - Use with caution as they can grant broader access than intended
- Wildcards (
Policy Structure and Syntax
Anatomy of an IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::bucket-name/*"
}
]
}
Key Elements Explained
| Element | Purpose | Example |
|---|---|---|
| Version | Policy language version | ”2012-10-17” (current version) |
| Statement | Container for permission rules | Array of policy statements |
| Effect | Specifies allow or deny | ”Allow” or “Deny” |
| Action | API calls being controlled | ”s3:GetObject” |
| Resource | Target of the permission | ARN of the resource |