Post

AWS IAM Fundamentals: Your First Step to Cloud Security

Posted Updated
Preview Image
By Mabele Liango
9 min read
AWS IAM Fundamentals: Your First Step to Cloud Security

Hey there! If you’re diving into cloud security, AWS IAM (Identity and Access Management) is probably the first thing you need to understand. It’s like the foundation of a house - if it’s weak, everything else crumbles. But don’t worry, I’m going to explain it in a way that actually makes sense, with real-world examples you can relate to.

What is IAM, Really?

Imagine you’re running a company. You have:

  • Employees who need access to different parts of the building
  • Contractors who only need temporary access
  • Visitors who should only see the lobby
  • Security guards who need access everywhere

AWS IAM is your digital security system that does exactly this for your cloud resources. It controls:

  • WHO can access your AWS resources (users, groups, roles)
  • WHAT they can do (permissions and policies)
  • WHEN they can do it (conditions)
  • WHERE they can access from (IP restrictions)

The Building Blocks of IAM

Let me break down the core concepts with simple analogies:

Users: The People in Your System

A User is like an employee badge. Each person gets their own unique badge that identifies them.

1
2

# Creating a user is like issuing a badge
aws iam create-user --user-name security-analyst

Real-world example: Sarah is a security analyst. She needs her own AWS account to scan for compliance issues. You create a user called security-analyst for her.

Groups: Organizing by Job Function

Groups are like departments. Instead of giving permissions to each person individually, you give them to the department, and everyone in that department gets the same access.

1
2
3
4
5

# Create a group for security team
aws iam create-group --group-name SecurityTeam

# Add Sarah to the group
aws iam add-user-to-group --user-name security-analyst --group-name SecurityTeam

Real-world example: You have 5 security analysts. Instead of configuring permissions 5 times, you create a “SecurityTeam” group, give it the permissions once, and add all 5 analysts to it. When a new analyst joins? Just add them to the group - they automatically get the right permissions!

Roles: Temporary Access Badges

Roles are like visitor badges. They’re temporary and can be “assumed” by different entities when needed.

1
2
3

# Create a role that can be assumed by EC2 instances
aws iam create-role --role-name ComplianceScannerRole \
  --assume-role-policy-document file://trust-policy.json

Real-world example: Your compliance scanning tool runs on an EC2 instance. Instead of storing AWS credentials in the code (which is dangerous!), you create a role. The EC2 instance “assumes” this role and gets temporary permissions to scan your AWS resources.

Policies: The Rule Book

Policies are the actual rules that define what someone can or cannot do. Think of them as the employee handbook.

Here’s a simple policy that allows reading S3 buckets:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::my-compliance-bucket/*",
        "arn:aws:s3:::my-compliance-bucket"
      ]
    }
  ]
}

Breaking it down:

  • Effect: Allow - This permission is allowed (could also be “Deny”)
  • Action - What they can do (s3:GetObject = read files, s3:ListBucket = list files)
  • Resource - Which specific resources (in this case, one S3 bucket)

Real-world example: Your compliance tool needs to read reports from a specific S3 bucket. This policy says “You can read files from my-compliance-bucket, but nothing else.”

The Principle of Least Privilege

This is the golden rule of IAM: Give people only the permissions they absolutely need, nothing more.

Bad example:

1
2
3
4
5

{
  "Effect": "Allow",
  "Action": "*",
  "Resource": "*"
}

This is like giving someone a master key to your entire building. They can do anything, anywhere. Never do this!

Good example:

1
2
3
4
5
6
7

{
  "Effect": "Allow",
  "Action": [
    "s3:GetObject"
  ],
  "Resource": "arn:aws:s3:::reports-bucket/compliance/*"
}

This says “You can only read files from the compliance folder in the reports bucket.” Much safer!

Common IAM Patterns You’ll See

Pattern 1: Read-Only Access for Auditors

Your compliance auditor needs to check your AWS setup but shouldn’t be able to change anything:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "s3:GetObject",
        "s3:ListBucket",
        "ec2:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

Notice all the actions start with Get, List, or Describe - these are read-only. No Create, Delete, or Modify actions.

Pattern 2: Service Role for Automation

Your Python script running on an EC2 instance needs to scan your resources:

1
2
3
4
5
6
7
8
9
10
11
12

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

This is a trust policy - it says “EC2 instances can assume this role.” Then you attach permissions to the role.

Pattern 3: Time-Based Access

Maybe you want to restrict access to business hours only:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
        "DateGreaterThan": {
          "aws:CurrentTime": "09:00Z"
        },
        "DateLessThan": {
          "aws:CurrentTime": "17:00Z"
        }
      }
    }
  ]
}

This says “You can access S3, but only between 9 AM and 5 PM UTC.”

Hands-On: Creating Your First IAM Setup

Let’s build a real example step-by-step. You’re setting up a compliance scanning tool:

Step 1: Create a User for the Tool

1

aws iam create-user --user-name compliance-scanner

Step 2: Create a Policy

Save this as compliance-readonly-policy.json:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadOnlyAccess",
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "s3:GetObject",
        "s3:ListBucket",
        "ec2:Describe*",
        "ec2:GetConsoleOutput",
        "vpc:Describe*"
      ],
      "Resource": "*"
    }
  ]
}

Create the policy:

1
2
3

aws iam create-policy \
  --policy-name ComplianceReadOnly \
  --policy-document file://compliance-readonly-policy.json

Step 3: Attach Policy to User

1
2
3

aws iam attach-user-policy \
  --user-name compliance-scanner \
  --policy-arn arn:aws:iam::YOUR_ACCOUNT_ID:policy/ComplianceReadOnly

Step 4: Create Access Keys (for programmatic access)

1

aws iam create-access-key --user-name compliance-scanner

⚠️ Security Warning: Save these keys immediately and securely! You won’t be able to see the secret key again.

Common IAM Security Mistakes (And How to Avoid Them)

Mistake 1: Using Root Account for Everything

Don’t do this: Using your root AWS account (the one you signed up with) for daily tasks.

Why it’s bad: Root account has unlimited power. If compromised, attackers have full control.

Do this instead: Create IAM users with specific permissions.

Mistake 2: Wildcard Permissions

Don’t do this:

1
2
3
4

{
  "Action": "*",
  "Resource": "*"
}

Do this instead:

1
2
3
4
5
6
7

{
  "Action": [
    "s3:GetObject",
    "s3:ListBucket"
  ],
  "Resource": "arn:aws:s3:::specific-bucket/*"
}

Mistake 3: Storing Credentials in Code

Don’t do this:

1
2
3

# BAD!
aws_access_key = "AKIAIOSFODNN7EXAMPLE"
aws_secret_key = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

Do this instead: Use IAM roles! Your EC2 instance assumes a role automatically.

Mistake 4: Not Rotating Access Keys

Don’t do this: Using the same access keys for years.

Do this instead: Rotate keys every 90 days. AWS can help with this:

1
2
3

aws iam create-access-key --user-name compliance-scanner
# Use new key, then delete old one
aws iam delete-access-key --user-name compliance-scanner --access-key-id OLD_KEY_ID

Testing Your IAM Setup

Want to test if your permissions work? Use the AWS CLI:

1
2
3
4
5
6
7
8

# Test S3 access
aws s3 ls s3://my-bucket

# Test IAM access
aws iam list-users

# Test EC2 access
aws ec2 describe-instances

If you get “Access Denied,” check your policies. If it works, you’re good to go!

Real-World Scenario: Building Access for a Compliance Tool

Let’s say you’re building that automated compliance tool from the main tutorial. Here’s the IAM setup you’d need:

1. Create a Role for EC2

1
2
3
4
5
6
7
8
9
10
11
12

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2. Attach Read-Only Policies

1
2
3
4

# Attach AWS managed policy for read-only access
aws iam attach-role-policy \
  --role-name ComplianceScannerRole \
  --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess

3. Create Instance Profile

1
2
3
4

aws iam create-instance-profile --instance-profile-name ComplianceScannerProfile
aws iam add-role-to-instance-profile \
  --instance-profile-name ComplianceScannerProfile \
  --role-name ComplianceScannerRole

Now when you launch an EC2 instance with this instance profile, it automatically has the right permissions - no keys needed!

Visual Learning: The IAM Flow

Here’s how IAM works in practice:

1
2
3

User/Service → Assumes Role → Gets Temporary Credentials → Accesses AWS Resource
     ↓              ↓                    ↓                        ↓
  "Sarah"    "ScannerRole"    "Temporary Token"        "Read S3 Bucket"

Key Takeaways

  1. Users = Individual people or services
  2. Groups = Collections of users (like departments)
  3. Roles = Temporary, assumable permissions
  4. Policies = The actual rules (what’s allowed/denied)
  5. Least Privilege = Give only what’s needed
  6. Never use root account for daily tasks
  7. Use roles, not access keys when possible

Practice Exercise

Try this yourself:

  1. Create a new IAM user called test-reader
  2. Create a policy that allows reading only from one specific S3 bucket
  3. Attach the policy to the user
  4. Test it by trying to list that bucket (should work) and another bucket (should fail)

Resources to Learn More

What’s Next?

Now that you understand IAM basics, you’re ready to:

  • Learn about AWS S3 security (our next post!)
  • Understand how EC2 security groups work
  • Build that compliance scanning tool with proper IAM setup

Remember: IAM is the foundation. Master this, and the rest of AWS security becomes much easier to understand!

💡 Pro Tip: Always test your IAM policies in a test account first. AWS provides a Policy Simulator tool that lets you test “what if” scenarios without actually making changes. It’s a lifesaver!

Ready to dive deeper? Check out our next post on AWS S3 Security Basics, where we’ll learn how to properly secure your cloud storage!

AWS, Cloud Security, Fundamentals
aws iam cloud-security identity-management access-control beginners
This post is licensed under CC BY 4.0 by the author.