AWS Identity and Access Management (IAM)
AWS IAM is a web service that helps you securely control access to AWS resources. It is the “front door” of your AWS infrastructure, managing Authentication (Who are you?) and Authorization (What are you allowed to do?).
The Real-World Analogy
Think of IAM like a High-Security Office Building:
- IAM User: An employee with a unique ID badge.
- IAM Group: A department (e.g., “Accounting”). If you move everyone in Accounting to the 4th floor, you just update the group policy once.
- IAM Role: A temporary “specialist” hat. An external contractor (or a computer system) puts on the hat to perform a specific task, then takes it off.
- IAM Policy: The actual list of permissions programmed into the ID badge telling the doors which floors/rooms you can enter.
Core Concepts for SAA-C03
1. Identities (Users, Groups, Roles)
In the exam, choosing the right identity is critical for security and scalability.
- Users: Long-term credentials for specific people or applications.
- Groups: Collections of users. Permissions applied to a group are inherited by all users in that group.
- Roles: Temporary credentials. Used by AWS services (like EC2 or Lambda) or for Cross-Account Access and Federation.
2. Policies (JSON Documents)
Policies define permissions. The most important rule to remember for the SAA-C03: Explicit Deny always overrides any Allow.
| Policy Type | Description | Exam Use Case |
|---|---|---|
| Identity-based | Attached to a User, Group, or Role. | Standard permission management. |
| Resource-based | Attached directly to a resource (e.g., S3 Bucket Policy). | Allowing cross-account access to a specific S3 bucket. |
| Permission Boundary | Sets the maximum permissions an entity can have. | Delegating admin tasks without allowing privilege escalation. |
| Service Control Policy (SCP) | Applied at the AWS Organization level. | Restricting specific regions or services across an entire company. |
Decision Matrix: If-Then Guide
- IF you need an EC2 instance to access an S3 bucket… THEN use an IAM Role attached to an Instance Profile. Never hardcode Access Keys.
- IF you need to grant a user from Account A access to Account B… THEN create a Cross-Account Role in Account B and allow Account A to assume it.
- IF you need to manage thousands of employees using corporate credentials… THEN use AWS IAM Identity Center (SSO) with SAML 2.0.
- IF you need to restrict an entire AWS Account from using a specific service (e.g., stop anyone from using Redshift)… THEN use an SCP in AWS Organizations.
Exam Tips and Gotchas
- Principle of Least Privilege: Always grant only the minimum permissions required for a task.
- Root User: Only use it for the very first setup or specific billing tasks. Lock it away with MFA.
- Access Keys vs. Roles: Access keys are for programmatic access from outside AWS. Roles are for access inside AWS or via Federation.
- IAM is Global: You do not select a region for IAM; it applies to all regions simultaneously.
- Golden Nugget: If an exam question mentions “Temporary Credentials,” the answer is almost always IAM Roles or AWS STS.
Topics Covered:
- IAM Identities (Users, Groups, Roles)
- Policy Evaluation Logic (Allow vs. Deny)
- Resource-based Policies vs. Identity-based Policies
- Cross-account access and Federation
- AWS Organizations and Service Control Policies (SCPs)
- Security Best Practices (MFA, Least Privilege)
AWS IAM Architecture & Security Flow
The IAM Request Flow: Principal → Authentication (Credentials) → Authorization (Policy Check) → Action on Resource
Key Integrations
- CloudTrail: Logs every IAM API call for auditing.
- KMS: IAM policies control who can use encryption keys.
- Config: Monitors IAM resource changes for compliance.
API & Limits
IAM is highly available and eventually consistent. For high-scale applications, be aware of API Throttling limits on AssumeRole calls.
Tip: Use caching for temporary credentials to avoid rate limits.
Pricing
IAM is a free feature of your AWS account. You are only charged for the resources (S3, EC2, etc.) that your users/roles create or consume.
Production Use Case: The “Web Identity Federation”
Scenario: You have a mobile app with 1 million users who need to upload photos to S3.
Solution: Do NOT create 1 million IAM users. Instead, use Amazon Cognito. Users login via Google/Facebook, Cognito exchanges that token for a temporary IAM Role, allowing secure, direct upload to S3.