Skip to main content
AWS Fundamentals Tutorial
CHAPTER 03 Beginner

AWS Identity and Access Management (IAM)

Updated: May 15, 2026
20 min read

# CHAPTER 3

AWS Identity and Access Management (IAM)

1. Introduction

When you created your AWS account, you logged in with an email and password. This is the Root User. The Root User has absolute, unrestricted power. It can delete your account, launch expensive servers, and access all data. In cloud security, using the Root User for daily tasks is the equivalent of using a master key to open your front door, your car, and your safety deposit box. It is highly dangerous. In this chapter, we introduce AWS IAM (Identity and Access Management)—the central nervous system of AWS security.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define the Principle of Least Privilege.
  • Differentiate between the Root User and IAM Users.
  • Create IAM Users and assign them to IAM Groups.
  • Understand the structure of an IAM JSON Policy.
  • Explain the purpose of IAM Roles.
  • Enable Multi-Factor Authentication (MFA).

3. Beginner-Friendly Explanation

Imagine a massive corporate office building (Your AWS Account).
  • The Root User: The CEO. They have the master key to every floor, the vault, and the ability to sell the building.
  • IAM Users: The employees. Bob is hired. You give Bob an ID badge.
  • IAM Policies: The permissions. You program Bob's badge so he can only open the door to the Marketing Department. If he tries to enter the Server Room, the door flashes red.
  • IAM Groups: You create a "Marketing Group" and apply the marketing door policy to the whole group. When Alice is hired, you just put her in the group, and she instantly gets the same access as Bob.
  • IAM Roles: A temporary hat. A contractor arrives to fix the AC. You don't make them an employee (User). You give them a temporary "Repairman Role" that expires in 2 hours.

4. The Core Components of IAM

IAM is a global service (it applies across all AWS Regions simultaneously). It consists of four main parts:
  1. 1. Users: Physical people (or specific applications) that need access to AWS.
  1. 2. Groups: Collections of users. (e.g., Developers, Admins, Finance).
  1. 3. Policies: JSON documents that explicitly define what is allowed or denied.
  1. 4. Roles: Temporary credentials assumed by trusted entities (like an AWS Server that needs permission to read an AWS Database).

5. IAM Policies (The JSON Blueprint)

Permissions in AWS are explicitly defined in JSON format. By default, an IAM User has zero permissions. They can do *nothing* until you attach a policy.

Here is what an AWS Policy looks like allowing a user to read files from S3 (AWS Storage), but forbidding them from deleting files:

json
12345678910111213 
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": "*"
    }
  ]
}

6. The Principle of Least Privilege

This is the golden rule of cloud security: Give a user the exact minimum permissions necessary to do their job, and nothing more. If a developer only needs to view database logs, give them a ReadOnly policy. If you lazily give them AdministratorAccess and their laptop gets hacked, the hacker now has full control of your cloud infrastructure.

7. Multi-Factor Authentication (MFA)

Passwords are not enough. You MUST enable MFA (using an app like Google Authenticator or Authy) on your Root User immediately. If a hacker guesses your password, they still cannot log in without the 6-digit code from your physical smartphone.

8. Mini Project: Create a Secure IAM Admin User

We will stop using the Root user right now.

Step-by-Step Tutorial:

  1. 1. Log into AWS Console as the Root user.
  1. 2. Search for IAM and open the dashboard.
  1. 3. On the left, click Users -> Add users.
  1. 4. Name the user AdminUser.
  1. 5. Check the box to Provide user access to the AWS Management Console. Select "I want to create an IAM user" and choose a custom password.
  1. 6. Click Next. Under Permissions options, select Attach policies directly.
  1. 7. Search for and check the box next to AdministratorAccess.
  1. 8. Click Next, then Create user.
  1. 9. CRITICAL: Log out of your Root account. Log back in using the new AdminUser credentials. From now on, you will use this account for all tutorials.

9. Best Practices

  • Lock away the Root User: Once you create your AdminUser and apply MFA to the Root account, you should almost never log in as Root again. Only use it for account-level actions (like closing the AWS account or changing billing details).
  • Use Groups, not direct Policies: Never attach a policy directly to a User. Create a Group (e.g., DatabaseAdmins), attach the policy to the Group, and put the User in the Group. It makes managing permissions across dozens of employees vastly easier.

10. Common Mistakes

  • Leaking Access Keys: If you generate an "Access Key ID" and "Secret Access Key" for an IAM User to use the AWS Command Line, and you accidentally upload those keys to GitHub, hackers will find them in seconds and launch thousands of cryptocurrency mining servers on your account. Never put AWS keys in your code!

11. Exercises

  1. 1. Explain the difference between an IAM User and an IAM Role. When would you use a Role instead of a User?
  1. 2. What happens if an IAM User tries to launch a server, but they do not have an IAM Policy attached allowing the ec2:RunInstances action?

12. MCQs with Answers

Question 1

According to AWS security best practices, what should you do with your AWS Root User account?

Question 2

Which IAM entity is best suited for temporarily granting permissions to an EC2 instance so that it can securely read files from an S3 bucket without hardcoding passwords?

13. Interview Questions

  • Q: Explain the Principle of Least Privilege. How does AWS IAM allow administrators to enforce this principle using JSON Policies?
  • Q: A developer hardcodes an IAM User's Secret Access Key into a Python script. Explain why this is a massive security vulnerability and propose a more secure architectural solution using IAM Roles.

14. FAQs

Q: Is IAM regional? If I create a user in the London region, can they log into the Tokyo region? A: IAM is a Global service. Users, Groups, and Roles exist universally across your entire AWS account, regardless of which region you are currently viewing in the console.

15. Summary

In Chapter 3, we established the foundational security perimeter of our cloud environment. We learned to abandon the dangerous Root User in favor of granular IAM Users. We explored the Principle of Least Privilege, understanding how JSON IAM Policies strictly dictate what actions are allowed or explicitly denied. Finally, we learned that IAM Groups help manage human employees, while IAM Roles provide temporary, secure access for applications and AWS services.

16. Next Chapter Recommendation

Your account is secure, and your billing alerts are set. It is time to launch your first cloud computer. Proceed to Chapter 4: AWS EC2 Fundamentals.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter AWS Free Tier and Billing Basics
Next Chapter AWS EC2 Fundamentals

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 5

Related Quizzes 6

🎥 Related Videos 1