Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.1.1. IAM Identities (Users, Groups, Roles, Policies)

First Principle: IAM identities (Users, Groups, Roles) define who can interact with AWS, while IAM Policies define what actions they can perform, forming the basis of granular access control.

AWS Identity and Access Management (IAM) is the cornerstone of security in AWS. It allows you to manage access to AWS services and resources securely.

Key IAM Identities and Components:
  • IAM Users: Represents an individual person or application that needs to interact with AWS. Have long-term credentials (password, access keys). Suitable for human administrators or service accounts that need persistent access.
  • IAM Groups: Collections of IAM users. Simplifies permission management by attaching IAM policies to a group, granting the same permissions to all users within it (e.g., "Administrators," "Developers").
  • IAM Roles: Secure IAM identities that grant temporary permissions. Designed for AWS services (e.g., an EC2 instance accessing S3), applications, or for users who need to assume elevated privileges for a specific task. Provide temporary credentials, enhancing security by avoiding long-lived access keys.
  • IAM Policies: JSON documents that define specific permissions. Attached to users, groups, or roles to define what actions are allowed or denied on which resources. Crucial for implementing the Principle of Least Privilege.

Scenario: You need to grant various levels of access to your AWS account. Developers need to manage EC2 instances, auditors need read-only access to S3 buckets, and your applications running on EC2 need temporary access to DynamoDB.

Reflection Question: How do IAM identities (Users, Groups, Roles) and IAM Policies fundamentally enable granular control over who can access AWS resources and what actions they can perform, forming the basis of secure access management?