AWS Identity and Access Management (IAM) is the cornerstone of security in the cloud. It is the primary tool customers use to fulfill their side of the Shared Responsibility Model — controlling who can access which AWS resources, under what conditions, and with what level of permission. IAM is also one of the most heavily tested topics on the CLF-C02 exam.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/roxsross/aws-cloud-practitioner-complete-guide/llms.txt
Use this file to discover all available pages before exploring further.
What Is IAM?
IAM lets you manage authentication (who you are) and authorization (what you can do) for your AWS account. Every API call made to AWS — from the console, CLI, or SDK — is authenticated and authorized through IAM. Key facts for the exam:- IAM is free to use; you only pay for the AWS resources your users access.
- The root account is created when you open an AWS account and has unrestricted access to everything.
- IAM operates on the principle of least privilege: grant only the permissions needed to perform a task, and nothing more.
Core IAM Components
Users — Individual Identities
Users — Individual Identities
- A unique name within the account
- Console access via username + password (for humans)
- Programmatic access via Access Key ID + Secret Access Key (for applications and scripts)
- Individual developers or admins who need console access
- CI/CD pipelines or scripts that need long-term credentials (though roles are preferred)
- External contractors who need scoped, time-limited access
Groups — Collections of Users
Groups — Collections of Users
- Attach a policy to the group once; all members inherit it automatically.
- Adding a new developer to the team? Add them to the
Developersgroup — done. - Changing what developers can access? Update the group policy once, not 20 individual users.
Roles — Temporary Permissions for Services and Users
Roles — Temporary Permissions for Services and Users
- Lambda functions accessing DynamoDB or SNS
- Cross-account access: a user in Account A assumes a role in Account B
- Federated users: employees logging in via Active Directory assume an IAM role
- Temporary credentials rotate automatically — no manual key rotation
- No secret to store, rotate, or accidentally commit to GitHub
- Clean audit trail showing exactly which role was assumed and when
Policies — JSON Permission Documents
Policies — JSON Permission Documents
- Version: Always
"2012-10-17"— the current policy language version - Statement: An array of one or more permission rules
- Effect:
"Allow"or"Deny" - Action: The API operations being permitted or denied (e.g.,
s3:GetObject) - Resource: The specific ARN(s) the statement applies to
- Condition (optional): Extra constraints like time of day, IP address, or MFA presence
Deny always overrides any Allow. If there is no explicit Allow, the default is deny.Three types of policies:| Type | Created By | Best For |
|---|---|---|
| AWS Managed | AWS | Common job functions (PowerUser, ReadOnly) |
| Customer Managed | You | Custom, reusable org-specific permissions |
| Inline | You | One-off policies tightly bound to a single entity |
IAM Policy: Code Example
Here is a minimal IAM policy that allows reading objects from a specific S3 bucket:s3:GetObject) on exactly one bucket (my-bucket). A user attached to this policy can download files from my-bucket but cannot list the bucket, upload files, or access any other bucket.
A more complete example — allowing read and list, requiring MFA:
Root Account vs. IAM Users
- Root Account
- IAM Admin User
- Changing the account name or root email address
- Closing the account
- Restoring IAM admin access if locked out
- Modifying support plans or AWS Marketplace settings
- A strong, unique password stored in a password manager
- MFA (virtual or hardware token) — required immediately after account creation
- No access keys — delete them if they exist
Multi-Factor Authentication (MFA)
MFA adds a second verification factor beyond just a password. Even if an attacker steals a password, they cannot access the account without the second factor.Virtual MFA
Hardware Token
U2F Security Key
- Root account — mandatory, no exceptions
- All IAM users with console access — strongly recommended
- Accounts with admin or billing access — required
IAM Best Practices
Enable MFA on the root account immediately
Create individual IAM users for every person
Use groups to assign permissions, not individual policies
Apply the principle of least privilege everywhere
*) on broad resources unless absolutely required.Use IAM roles for applications and services
Rotate credentials regularly
IAM Evaluation Logic
When you make an AWS API call, IAM evaluates policies in this order:Explicit Deny
"Effect": "Deny" for the action, access is denied immediately. No further evaluation occurs.Explicit Allow
"Effect": "Allow" for the action, and there is no conflicting deny, access is allowed.s3:DeleteObject and Policy B denies s3:DeleteObject, the request is denied — regardless of the order the policies are attached.Quick Reference Cheat Sheet
| Component | What It Is | Primary Use Case |
|---|---|---|
| User | Individual identity | Human access, long-term app credentials |
| Group | Collection of users | Manage permissions by job role |
| Role | Assumable temporary identity | Services accessing other services |
| Policy | JSON permission document | Define allowed or denied actions |
| MFA | Second authentication factor | Protect high-privilege accounts |
| Root | Master account identity | Initial setup only — never daily use |
