VISI

IAM Fundamentals

  • Users — mapped to a physical person. Has credentials for Console (password) or programmatic access (access keys).
  • Groups — contain users only (not other groups). Users can be in multiple groups.
  • Policies — JSON documents that define permissions. Applied to users, groups, or roles.
  • Roles — for EC2 instances or AWS services that need to call other services. Temporary credentials.

IAM Policy Structure:

{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow" | "Deny",
"Principal": "...", // who (for resource policies)
"Action": ["s3:GetObject"],
"Resource": "arn:aws:s3:::mybucket/*",
"Condition": {} // optional
}]
}

Key IAM Rule: Explicit DENY always wins over ALLOW.

IAM Security tools:

  • IAM Credentials Report(account-level) — lists all users and status of their credentials.
  • IAM Access Advisor (user-level) — shows service permissions granted and when last used. Use to refine policies.

IAM Permission Boundaries — set the maximum permissions an IAM entity can get. Useful for delegating without escalation risk.

IAM Conditions (exam traps):

  • aws:SourceIp — restrict API calls by client IP
  • aws:RequestedRegion — restrict which region API calls target
  • aws:MultiFactorAuthPresent — require MFA
  • ec2:ResourceTag — restrict based on resource tags

Least Privilege: Never give more permissions than needed — never give more permissions than needed. Root account: lock it down, enable MFA, don't use for day-to-day.

Access Keys — for CLI/SDK access. Access Keys: Never share them. Access Key ID ≈ username; Secret Access Key ≈ password.

References

Quiz

A few quick questions based on this unit. Mark it complete when you are done.

Question 1 / 3

What is Least Privilege: Never give more permissions than needed?