100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace
Cloud

AWS IAM

By Amazon Web Services

IntermediateService4.3K learners

AWS IAM (Identity and Access Management) is Amazon Web Services' service for securely controlling access to AWS resources, letting administrators define users, groups, and roles and attach policies that specify exactly what actions each…

Definition

AWS IAM (Identity and Access Management) is Amazon Web Services' service for securely controlling access to AWS resources, letting administrators define users, groups, and roles and attach policies that specify exactly what actions each identity can perform.

Overview

AWS IAM is one of the foundational services in AWS: almost every action taken against an AWS account, whether through the console, CLI, SDK, or another AWS service, is authorized (or denied) by IAM. At its core, IAM lets administrators create users and groups for people, and roles for services or temporary access, then attach JSON-based policies that define which actions are allowed or denied on which resources, following the principle of least privilege. A key concept in IAM is the distinction between users (long-lived credentials tied to a specific person or application) and roles (temporary credentials assumed by a service, another AWS account, or a federated identity). Roles are the recommended way for EC2 instances, Lambda functions, and other AWS services to access other resources, since they avoid embedding long-lived credentials in code or configuration. IAM also supports fine-grained conditions within policies — restricting access by IP range, time of day, multi-factor authentication status, or specific resource tags. Because misconfigured IAM policies are a leading cause of cloud security incidents, IAM is a core topic in Cloud Security curricula, and best practices like least-privilege policies, multi-factor authentication, and avoiding long-lived access keys in favor of roles are heavily emphasized when learning AWS.

Key Features

  • Fine-grained, policy-based access control for AWS resources
  • Users, groups, and roles as the core identity building blocks
  • Roles provide temporary credentials, avoiding long-lived secrets in code
  • JSON policy documents defining allowed or denied actions and resources
  • Support for multi-factor authentication on user sign-in
  • Condition keys for restricting access by IP, time, tags, or MFA status
  • Identity federation with external identity providers and SSO
  • Free to use, with no additional charge beyond the resources it protects

Use Cases

Granting least-privilege access to developers and administrators
Assigning roles to EC2 instances or Lambda functions to access other AWS services
Enforcing multi-factor authentication for sensitive account actions
Federating access for external identity providers or single sign-on
Auditing and tightening permissions to reduce security risk
Cross-account access between multiple AWS accounts in an organization

Frequently Asked Questions