IAM Fundamentals
- Users — mapped to a physical person. Has credentials for Console (password) or programmatic access (access keys).
- Groups — contain users only (not other groups). Users can be in multiple groups.
- Policies — JSON documents that define permissions. Applied to users, groups, or roles.
- Roles — for EC2 instances or AWS services that need to call other services. Temporary credentials.
IAM Policy Structure:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow" | "Deny",
"Principal": "...", // who (for resource policies)
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {} // optional
}]
}
Key IAM Rule: Explicit DENY always wins over ALLOW.
IAM Security tools:
- IAM Credentials Report(account-level) — lists all users and status of their credentials.
- IAM Access Advisor (user-level) — shows service permissions granted and when last used. Use to refine policies.
IAM Permission Boundaries — set the maximum permissions an IAM entity can get. Useful for delegating without escalation risk.
IAM Conditions (exam traps):
- aws:SourceIp — restrict API calls by client IP
- aws:RequestedRegion — restrict which region API calls target
- aws:MultiFactorAuthPresent — require MFA
- ec2:ResourceTag — restrict based on resource tags
Least Privilege: Never give more permissions than needed — never give more permissions than needed. Root account: lock it down, enable MFA, don't use for day-to-day.
Access Keys — for CLI/SDK access. Access Keys: Never share them. Access Key ID ≈ username; Secret Access Key ≈ password.
