AWS IAM Deep Dive Cheat Sheet
Reference for IAM users, roles, policies, and permission boundaries used to secure access to AWS resources.
2 PagesIntermediateFeb 8, 2026
IAM Policy Document
Standard structure of an identity-based policy.
json
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3ReadOnly", "Effect": "Allow", "Action": ["s3:GetObject", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*" ], "Condition": { "StringEquals": {"aws:RequestedRegion": "us-east-1"} } } ]}
Role Trust Policy
Allows an EC2 instance to assume a role.
json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" } ]}
CLI: Users, Roles & Policies
Common IAM management commands.
bash
aws iam create-user --user-name janeaws iam create-role --role-name my-role \ --assume-role-policy-document file://trust-policy.jsonaws iam attach-role-policy --role-name my-role \ --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessaws iam list-attached-user-policies --user-name janeaws iam create-access-key --user-name janests assume-role would use: aws sts assume-role --role-arn arn:aws:iam::123456789012:role/my-role --role-session-name session1
Core Concepts
Key core concepts to know.
- User- Long-term identity for a person or application with credentials
- Role- Temporary identity assumed by users, services, or federated identities
- Policy- JSON document defining allowed/denied actions on resources
- Managed vs Inline Policy- Managed policies are reusable/standalone; inline policies are embedded in one identity
- Permission Boundary- Sets the maximum permissions an identity can ever have, regardless of attached policies
- Least Privilege- Grant only the exact permissions required, nothing more
Policy Evaluation Logic
Key policy evaluation logic to know.
- Explicit Deny- Always wins over any Allow, in any policy
- Default Deny- All requests are denied unless explicitly allowed
- SCP (Org level)- Service Control Policies set the max permissions across an AWS Organization
- Resource Policy- Attached to the resource itself (e.g. S3 bucket policy), evaluated alongside identity policies
Pro Tip
Use IAM Access Analyzer to detect resources shared with external entities and to generate least-privilege policies from actual CloudTrail activity instead of guessing required permissions.
Was this cheat sheet helpful?
Explore Topics
#AWSIAMDeepDive#AWSIAMDeepDiveCheatSheet#CloudComputing#Intermediate#IAMPolicyDocument#RoleTrustPolicy#CLI#Users#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance