IAM – AWS Identity and Access Management

  • Using IAM we can provide and restrict access to AWS services and permission levels.
  • IAM is at Global level. Same credentials or roles or policy is applied across regions.
  • Generally the flow of IAM set up is like
    • User -> Group -> Policy (it has what resource and permissions on those resources).
    • Role – Grant Permission to entities we trust.
      • Can be assigned to  Service / Application .
      • These roles can be attached to instances as well.
      • Policies can be attached to these roles.
  • Access Types – for accessing AWS resources,
    • Programmatic using access key & secret access key.
    • AWS Console.

Exam Tips

  • Prefer IAM over Access keys, when providing access to others(Users).
  • Roles CANNOT be assigned to Users or Groups.
  • Roles are specific to AWS Resources only.
  • Cross account access – we don’t have to create individual access for different AWS accounts.
  • STS is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users.
  • Programmatic(SDK) access is authenticated with an access key.
  • Integration with Active Directory involves integration between Active Directory and IAM via SAML.
  • Federation maps policies to identities from other sources via temporary tokens.


  • Create a new User, assign to a Group.
  • Create a new Policy and attach to the above group.
  • Log in using the user.(both programmatic & console).
  • Creating Roles and assigning to AWS Service(Lambda) can be seen at Blog.