What is AWS IAM?

Question

What is AWS IAM?

Accepted Answer

**IAM** (Identity and Access Management) controls **who can do what** in AWS — managing users, groups, roles, and permissions. It's fundamental to AWS security: every action is authorized through IAM, so understanding it is essential.

## What IAM manages

```text
IAM controls AUTHENTICATION (who you are) and AUTHORIZATION (what you can do):
  USERS    → individual identities (people or applications) with credentials
  GROUPS   → collections of users (assign permissions to a group → all its users get them)
  ROLES    → identities ASSUMED temporarily (by users, services, or AWS resources)
             — no permanent credentials; key for services/cross-account access
  POLICIES → JSON documents defining PERMISSIONS (what actions on what resources)
```

## Policies — defining permissions

```json
{
  "Effect": "Allow",
  "Action": ["s3:GetObject", "s3:PutObject"],
  "Resource": "arn:aws:s3:::my-bucket/*"
}
// → allows getting/putting objects in my-bucket (and nothing else)
```

Policies (JSON) specify **what actions** are allowed/denied on **which resources** — attached to users, groups, or roles to grant permissions.

## Roles — temporary credentials (very important)

```text
ROLES grant temporary permissions without long-lived credentials:
  → an EC2 instance assumes a role → its app accesses S3 (no embedded keys!)
  → a Lambda function assumes a role for its permissions
  → cross-account access; federated/SSO access
→ Roles avoid hardcoding credentials — a security best practice.
```

## Best practices

```text
✓ LEAST PRIVILEGE — grant only the permissions actually needed (not broad/admin)
✓ Use ROLES for applications/services (not embedded access keys)
✓ Enable MFA; protect the root account (don't use it for daily work)
✓ Use groups for permission management; rotate credentials; audit access
```

## Why it matters

Understanding IAM is essential because it's the foundation of AWS security — every action in AWS is authorized through IAM, so it's fundamental, must-know knowledge for working with AWS safely.

IAM controls **who can do what** through its core components: **users** (identities with credentials), **groups** (for managing permissions collectively), **roles** (temporarily-assumed identities), and **policies** (JSON documents defining permissions).

Understanding **policies** (specifying which actions are allowed on which resources) is necessary to grant and understand permissions correctly.

Understanding **roles** is particularly important: they provide **temporary credentials without long-lived keys**, enabling EC2 instances, Lambda functions, and other services to access AWS resources securely **without embedding access keys** — a critical security best practice that avoids the serious risk of hardcoded credentials.

Understanding the **best practices** — especially **least privilege** (granting only the permissions actually needed, not broad admin access, limiting the blast radius of any compromise), using roles for applications, enabling MFA, and protecting the root account — is essential for AWS security, as IAM misconfigurations (overly-broad permissions, leaked credentials) are a common source of security incidents.

Since IAM is the gatekeeper for all AWS access and getting it right is fundamental to security (while getting it wrong causes serious breaches), and since understanding users, roles, policies, and best practices like least privilege is essential for working with AWS securely, understanding IAM is essential, foundational AWS knowledge — a critical security topic that every AWS user must understand, central to using AWS safely and avoiding the access-control mistakes that lead to real security incidents.