AWS identity and access management service controlling who can do what in your account, with granular policies based on the principle of least privilege.
AWS IAM (Identity and Access Management) is AWS's central authentication and authorization service that controls who can access which resources and under what conditions. It defines identities (users, roles, groups), permission policies, and authentication mechanisms for every interaction with the AWS API.
IAM operates under a "deny by default" model — everything is prohibited until explicitly granted. Every AWS API call passes through IAM's policy evaluation engine, which determines if the action is allowed based on policies attached to the identity and resource.
The service implements the zero trust principle where every request must be authenticated and authorized regardless of origin. This architecture is fundamental for any secure infrastructure as code implementation on AWS.
Users: Represent physical people with permanent credentials. In production environments, roles are preferred over users to reduce the attack surface of long-lived credentials.
Roles: Identities that can be temporarily assumed by users, services, or applications. Roles don't have permanent credentials — AWS generates temporary tokens through STS (Security Token Service). They are the recommended practice for services like AWS Lambda.
Groups: Logical collections of users sharing similar permissions. They facilitate permission management at organizational scale.
Policies are JSON documents defining permissions using AWS's policy language. They follow the Effect-Action-Resource-Condition structure:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "203.0.113.0/24"
}
}
}
]
}| Type | Scope | Use case |
|---|---|---|
| Identity-based | Attached to users, groups, roles | General identity permissions |
| Resource-based | Attached to specific resources | Granular per-resource control |
| Permission boundaries | Maximum permission limit | Secure administration delegation |
| Service control policies | Organization-level limits | Enterprise governance |
| Access control lists | Object-level control | Legacy system compatibility |
| Session policies | Temporary session limits | Additional role assumption restrictions |
Effective least privilege implementation requires an iterative approach:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::app-data-${aws:userid}/*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::app-data-${aws:userid}",
"Condition": {
"StringLike": {
"s3:prefix": "${aws:userid}/*"
}
}
}
]
}IAM Access Analyzer uses automated reasoning (logic-based reasoning) to identify externally shared resources and generate policies based on actual usage:
Integration with policy as code enables automated policy review and updates based on these findings.
For access between AWS accounts, roles are configured with trust policies allowing assumption from specific accounts:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "unique-external-id"
}
}
}
]
}Alternatively, resource-based policies allow direct access without role assumption:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-B:role/CrossAccountRole"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::shared-bucket/*"
}
]
}Service-linked roles are predefined roles by AWS that grant specific permissions to AWS services to operate in your account. They are created automatically when a service is enabled and cannot be modified:
AWSServiceRoleForAutoScalingAWSServiceRoleForECSAWSServiceRoleForLambdaReplicatorThese roles implement least privilege at the service level and integrate with secrets management for secure temporary credential handling.
Permission boundaries act as maximum privilege filters, defining the upper limit of permissions an identity can have:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": ["us-east-1", "us-west-2"]
}
}
},
{
"Effect": "Deny",
"Action": [
"iam:CreateUser",
"iam:DeleteUser",
"organizations:*"
],
"Resource": "*"
}
]
}IAM is the nervous system of AWS security — every API call passes through its evaluation engine. For staff+ engineers, mastering IAM means understanding that security isn't an add-on but the fundamental architecture. IAM design decisions directly impact development velocity, security posture, and operational costs.
The cost of incorrect IAM configuration can be catastrophic: from security breaches to operational lockouts. Policy complexity grows significantly with organization size, making it critical to establish consistent patterns from the start. Investment in IAM automation and proactive governance is directly proportional to infrastructure scale.
AWS serverless compute service that runs code in response to events without provisioning or managing servers, automatically scaling from zero to thousands of concurrent executions.
Practice of defining and managing infrastructure through versioned configuration files instead of manual processes. Foundation of modern operations automation.
Security architecture that rigorously verifies every request regardless of origin, eliminating implicit trust in internal networks.
Practices and tools for securely storing, distributing, and rotating credentials, API keys, and other sensitive data in applications and pipelines.
Practice of defining security, compliance, and governance policies as versioned, executable code, automating their verification in CI/CD pipelines.
Architecture design for scaling a personal second brain to a production system with AWS serverless — from the current prototype to specialized use cases in legal, research, and community building.
Production-ready serverless backend for a personal knowledge graph — DynamoDB, Lambda, Bedrock, MCP, Step Functions. The implementation of the architecture described in the 'From Prototype to Production' essay.
Industry standards for delegated authorization (OAuth 2.0) and federated authentication (OpenID Connect), enabling third-party login and secure API access.
AWS object storage service with 99.999999999% durability, unlimited scalability, and multiple storage classes for cost optimization.