IAM Fundamentals

Core Components

Users

Individual people or services that need AWS access

Groups

Collections of users with similar permissions

Roles

Temporary credentials for AWS services or external users

Policies

JSON documents defining permissions

Authentication Methods

Console Password: Web-based access to AWS Management Console

Access Keys: Programmatic access via CLI/SDK (Access Key ID + Secret)

Temporary Credentials: Short-term access via STS (Security Token Service)

MFA: Multi-factor authentication for enhanced security

Password Policy

Allow Password Change: Enable "Allow users to change their own password" permission

Password Expiration: Set maximum password age (e.g., 90 days) to force regular updates

Password History: Remember last 5-24 passwords to prevent reuse

Complexity Requirements: Minimum length, uppercase, lowercase, numbers, symbols

Account Lockout: Lock account after failed login attempts

Best Practices

Follow principle of least privilege

Use groups to assign permissions to users

Enable MFA for privileged users

Rotate access keys regularly

Use roles for applications running on EC2

Monitor activity with CloudTrail

Use policy conditions for fine-grained control

Policy Structure

// Basic Policy Structure

                            {

                              "Version": "2012-10-17",

                              "Statement": [

                                {

                                  "Effect": "Allow",

                                  "Action": "s3:GetObject",

                                  "Resource": "arn:aws:s3:::bucket/*"

                                }

                              ]

                            }

Exam Strategy Tip

Remember: IAM is global (not region-specific). When questions ask about cross-account access or temporary credentials, think IAM Roles. For programmatic access, always prefer roles over access keys when possible.

Back to IAM Topics Next: Policies Deep Dive