AWS IAM
AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources. It's the foundation of AWS security and touches every other service.
Key Concepts
- Users: Individual identities with credentials
- Groups: Collections of users with shared permissions
- Roles: Identities assumed by services or applications
- Policies: JSON documents defining permissions
Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}
Policy Types
| Type | Attached To | Use Case |
|---|---|---|
| Identity-based | Users, Groups, Roles | Grant permissions to principals |
| Resource-based | S3, SQS, Lambda, etc. | Grant cross-account access |
| Permission boundaries | Users, Roles | Limit maximum permissions |
| Service control policies | AWS Organizations | Guardrails across accounts |
Best Practices
- Least privilege: Grant only the permissions needed
- Use roles, not users: For applications and services
- Enable MFA: Especially for privileged users
- Rotate credentials: Regularly rotate access keys
- Use groups: Manage permissions via groups, not individual users
What We Like
- Granular control: Fine-grained permissions down to individual API actions
- Integration: Every AWS service uses IAM for access control
- Free: No additional cost for IAM itself
- Auditing: CloudTrail logs all API calls for compliance
What We Don't Like
- Complexity: Policy language can be difficult to master
- Debugging: "Access Denied" errors don't always explain why
- Policy limits: Size limits on policies can be restrictive
- Eventually consistent: Changes can take seconds to propagate
IAM vs Cognito
| IAM | Cognito |
|---|---|
| AWS service access | Application user management |
| Developers and services | End users |
| Programmatic and console | Web/mobile apps |