AWS IAM
AWS identity and access management service controlling who can do what in your account, with granular policies based on the principle of least privilege.
What it is
AWS IAM (Identity and Access Management) controls authentication and authorization in AWS. It defines who (identity) can do what (permissions) on which resources (scope). It's the security nervous system of any AWS account.
Key concepts
- Users: identities for people
- Roles: identities for services and applications (preferred over users)
- Policies: JSON documents defining permissions
- Groups: collections of users with shared policies
Policy types
| Type | Scope |
|---|---|
| Identity-based | Attached to users, groups, roles |
| Resource-based | Attached to resources (S3 bucket policy) |
| Permission boundaries | Maximum permission limit |
| Service control policies | Organization-level limits |
Principle of least privilege
Each identity should have only the strictly necessary permissions. In practice:
- Start with no permissions and add as needed
- Use IAM Access Analyzer to identify unused permissions
- Prefer roles over access keys
- Rotate credentials regularly
IAM and Lambda
Each Lambda function has an execution role defining which AWS services it can invoke. Define specific roles per function, don't share generic roles.
Why it matters
IAM is the nervous system of AWS security. Every API call passes through IAM. Understanding policies, roles, and the principle of least privilege is not optional — it is the foundation on which any secure cloud architecture is built.
References
- IAM Documentation — Official documentation.
- IAM Best Practices — AWS, 2024. Security best practices.
- IAM Policies — AWS, 2024. Access policies guide.