πŸ” What is AWS IAM?

πŸ” What is AWS IAM?

AWS IAM (Identity and Access Management) is a security service that helps you control access to AWS resources.
It lets you create and manage users, groups, roles, and permissions securely.

βœ… IAM answers: β€œWho can do what on which AWS resource?”

🧱 Key Components of IAM

Component Description
Users Individual people or applications that need access
Groups Collection of users with common permissions (e.g., Devs, Admins)
Roles Temporary access credentials (used by apps, EC2, Lambda, etc.)
Policies JSON documents defining permissions (what actions are allowed/denied)
Federation Connect IAM to external identity providers (e.g., Google, AD, Okta)


🎯 How IAM Works

  1. You create IAM users/roles for people or services.
  2. Attach IAM policies to define what they can access.
  3. AWS checks these policies before allowing any action.

🧩 Example IAM Policy

{
Β  "Version": "2012-10-17",
Β  "Statement": [
Β  Β  {
Β  Β  Β  "Effect": "Allow",
Β  Β  Β  "Action": "s3:*",
Β  Β  Β  "Resource": "arn:aws:s3:::my-bucket/*"
Β  Β  }
Β  ]
}

➑️ This allows full access to everything inside the my-bucket S3 bucket.

πŸ›‘οΈ Types of IAM Policies

Type Description
Managed Policy Predefined by AWS or created by you
Inline Policy Embedded directly in a user, group, or role
Permissions Boundary Sets max allowed permissions for a user/role
Service Control Policy (SCP) Used with AWS Organizations to set limits across accounts


βš™οΈ IAM Roles – For AWS Services

Use Case IAM Role Example
EC2 accessing S3 Attach IAM Role with S3 permissions to EC2 instance
Lambda writing to DynamoDB Lambda assumes a role with write access
Cross-account access One AWS account grants another temporary role access


πŸ” IAM Best Practices

βœ… Use MFA (Multi-Factor Authentication) for all users
βœ… Grant least privilege (only what's needed)
βœ… Rotate credentials regularly
βœ… Use IAM Roles for EC2/Lambda instead of hardcoding keys
βœ… Monitor access with CloudTrail and Access Analyzer

πŸ“Š Summary

Attribute Value
Purpose Control access to AWS services/resources
Core Elements Users, Groups, Roles, Policies
Format Policies written in JSON
Free Tier IAM is free (you only pay for services used)
Integrated With All AWS services

Β 

Β 

Organizational Units (OU) Examples

  • Definition: Logical groupings of AWS accounts under an AWS Organization for better management.
  • Example Structure:
  • Root
    • Security OU β†’ Accounts for logging, security tools.
    • Sandbox OU β†’ Developer testing accounts.
    • Production OU β†’ Workload accounts (Finance, HR, E-commerce).
    • Shared Services OU β†’ Centralized VPC, CI/CD pipelines.

AWS Organizations

  • Purpose: Service to manage multiple AWS accounts under a single Management Account.
  • Key Features:
    • Consolidated billing.
    • Centralized management of policies and permissions (SCPs).
    • Account creation and lifecycle management.
    • Integration with AWS Control Tower, IAM Identity Center.

SCP Hierarchy (Service Control Policies)

  • Definition: Policies that define maximum permissions for accounts in an OU.
  • Hierarchy:
    • Root SCP β†’ Applies organization-wide.
    • OU SCP β†’ Applies to all accounts in OU.
    • Account SCP β†’ Narrow permissions further for a specific account.
  • Note: SCPs do not grant permissions, they only restrict what accounts can do beyond IAM.

IAM Conditions

  • Allow you to fine-tune IAM policies using conditions.
  • Examples:
    • "aws:MultiFactorAuthPresent": true β†’ Requires MFA.
    • "aws:RequestTag/Project": "Finance" β†’ Allow actions only on tagged resources.
    • "aws:PrincipalOrgID": "o-abc123" β†’ Allow only principals from specific organization.

IAM for S3

  • Access control methods:
    • Bucket Policies: Resource-based policies granting cross-account or public access.
    • IAM Policies: Identity-based permissions for AWS principals.
    • ACLs: Legacy access mechanism (less recommended).
    • S3 Access Points: Granular access per application or user group.

Resource Policies & aws:PrincipalOrgID

  • Resource policies: Define who can access a specific resource.
  • aws:PrincipalOrgID condition: Restricts access to principals from a particular AWS Organization.

    Β 

    Example:

    {
  "Effect": "Allow",
  "Principal": "*",
  "Action": "s3:GetObject",
  "Resource": "arn:aws:s3:::mybucket/*",
  "Condition": {
    "StringEquals": {
      "aws:PrincipalOrgID": "o-abc123"
    }
  }
}

IAM Roles vs Resource-Based Policies

Feature IAM Roles Resource-Based Policies
Scope Assigned to identities (users, services, AWS accounts). Attached directly to a resource (S3 bucket, SQS, etc.).
Cross-account access Requires sts:AssumeRole. Directly allows principal from other accounts.
Use case Temporary access, least-privilege delegation. Resource sharing across multiple accounts/services.

IAM Permission Boundaries

  • Define the maximum allowed permissions for an IAM principal (user or role).
  • Prevents the principal from getting extra privileges, even if another policy allows them.
  • Use case: Delegate IAM role creation to developers but ensure they cannot exceed boundary permissions.

IAM Policy Evaluation Logic

Order of evaluation:

  1. Explicit Deny β†’ Always wins.
  2. Explicit Allow β†’ If no deny, action is allowed.
  3. Default Deny (implicit) β†’ If no policy allows the action, access is denied.

AWS IAM Identity Center (Successor to AWS SSO)

  • Purpose: Provides single sign-on (SSO) access to AWS accounts and applications.
  • Features:
    • Centralized user management (integrates with AD).
    • Role-based access to multiple AWS accounts.
    • Integration with external identity providers (Okta, Azure AD).

Microsoft Active Directory (AD)

  • Definition: Directory service by Microsoft for identity management.
  • Provides:
    • Centralized user accounts, groups, and permissions.
    • Authentication and single sign-on in Windows environments.

AWS Directory Services

AWS offers:

  • AWS Managed Microsoft AD: Fully managed AD in AWS cloud.
  • AD Connector: Proxy to connect on-premises AD to AWS.
  • Simple AD: Low-cost AD-compatible directory (limited scale).

AWS Control Tower

  • Purpose: Automates the setup of a secure, multi-account environment.
  • Features:
    • Creates landing zones (OUs, accounts, guardrails).
    • Enforces governance via SCPs and AWS Config rules.
    • Pre-configured security and auditing services (CloudTrail, Config).

βœ… Key Takeaway:
AWS Organizations with OUs, SCPs, IAM policies, and Control Tower enable centralized governance and secure access management across multiple AWS accounts.

Back to blog

Leave a comment