IAM - Identity Access Management

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) is the foundational service for controlling who and what can access AWS resources. It manages users, groups, roles, and policies — and acts as the policy decision point for nearly every AWS API call. Modern AWS deployments treat IAM as the primary security boundary: principals are denied by default and granted access only through explicit, least-privilege policies.

Key Features:

Fine-Grained Access Control: JSON policies define allowed and denied actions on specific resources, with conditions on tags, IP ranges, MFA presence, and time of day.
Roles & STS Temporary Credentials: Roles are assumed via sts:AssumeRole, returning short-lived credentials (15 min to 12 hours) used by EC2, Lambda, ECS tasks, and federated humans.
Identity Federation: SAML 2.0, OIDC, and AWS IAM Identity Center (formerly SSO) integrate with Okta, Entra ID, Google Workspace, and GitHub OIDC for keyless CI/CD.
Multi-Factor Authentication (MFA): Virtual MFA, FIDO2 security keys, and passkeys; can be required via aws:MultiFactorAuthPresent in policy conditions.
Permissions Boundaries & SCPs: Boundaries cap the maximum permissions an identity can have; Service Control Policies (in AWS Organizations) enforce account-wide guardrails.
IAM Access Analyzer: Detects external access to resources, validates policy syntax, and generates least-privilege policies from CloudTrail history.
Audit Trail: Every IAM API call (and every authorized API call across AWS) is logged to CloudTrail for forensic review.

Common Use Cases:

Workload Identity: EC2 instance profiles, Lambda execution roles, and ECS/EKS task roles deliver short-lived credentials to compute without baking keys into images.
Cross-Account Access: A central tooling account assumes roles into prod / dev / sandbox accounts via trust policies — the standard pattern for AWS Organizations multi-account setups.
CI/CD with OIDC: GitHub Actions and GitLab assume roles via OIDC web identity federation, eliminating long-lived access keys.
Human Access via Identity Center: Engineers log in through SSO with permission sets that translate into time-bounded role sessions.
Compliance & Audit: SCPs deny risky actions org-wide (e.g., disabling CloudTrail, leaving the home region); Access Analyzer reports continuously.

Service Limits & Quotas:

Users per account: default soft limit 5,000 (raise via Service Quotas; modern accounts often have zero IAM users in favor of Identity Center).
Roles per account: default soft limit 1,000.
Managed policies per account: default soft limit 1,500 customer-managed policies.
Managed policies attached per role/user/group: 10 (raise to 20 via quota request).
Inline policy size: 2,048 chars per user, 10,240 per role, 5,120 per group.
Managed policy size: 6,144 characters (hard limit).
STS session duration: 15 minutes to 12 hours, configurable per role.
Access keys per user: 2 (hard) — designed for rotation overlap.

Pricing Model:

IAM itself is free — no charge for users, roles, policies, or API calls.
IAM Access Analyzer: external access analyzers are free; unused access analyzers and custom policy checks are charged per resource analyzed per month.
IAM Identity Center: free for AWS account access; charges apply only for application assignments to certain managed apps.
Common cost surprise: CloudTrail data events for IAM-protected resources (S3 objects, Lambda invokes) generate large log volumes and S3 storage bills, even though IAM authorization is free.

Code Example — Assume a Cross-Account Role:


import boto3

sts = boto3.client("sts")
resp = sts.assume_role(
    RoleArn="arn:aws:iam::222233334444:role/DataReader",
    RoleSessionName="analytics-job-2026-04-25",
    DurationSeconds=3600,
)
creds = resp["Credentials"]

# Use the temporary credentials in a new session
prod = boto3.Session(
    aws_access_key_id=creds["AccessKeyId"],
    aws_secret_access_key=creds["SecretAccessKey"],
    aws_session_token=creds["SessionToken"],
    region_name="us-west-2",
)

s3 = prod.client("s3")
for obj in s3.list_objects_v2(Bucket="prod-data-lake")["Contents"]:
    print(obj["Key"])

Least-Privilege Policy Skeleton:


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "ReadOneBucketPrefix",
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::prod-data-lake",
        "arn:aws:s3:::prod-data-lake/reports/*"
      ],
      "Condition": {
        "Bool": {"aws:MultiFactorAuthPresent": "true"},
        "IpAddress": {"aws:SourceIp": ["203.0.113.0/24"]}
      }
    }
  ]
}

Common Interview Questions:

What is the difference between an IAM user and an IAM role?

A user is a long-lived identity with static credentials (password, access keys) tied to a specific person or service. A role is an identity assumed temporarily — anyone or anything that satisfies the trust policy can assume it and receive short-lived STS credentials. Modern best practice is to minimize users and prefer roles assumed through SSO or OIDC federation.

Identity policy vs. resource policy — which wins?

Both are evaluated together. An explicit Deny in either always wins. Otherwise, an Allow in either is sufficient for same-account access. For cross-account access, both the principal's identity policy and the resource policy must allow the action.

What is a permissions boundary?

A managed policy that defines the maximum permissions an identity-based policy can grant. The effective permissions are the intersection of the identity policy and the boundary. Used to safely delegate IAM administration — a junior admin can create roles, but only within the ceiling the boundary defines.

How do you give an EC2 instance access to an S3 bucket without storing credentials?

Create an IAM role with the required S3 policy, attach it via an instance profile, and the EC2 metadata service (IMDSv2) will deliver rotating temporary credentials to the AWS SDK automatically.

What is OIDC federation and why does it matter for CI/CD?

OIDC lets external identity providers (GitHub Actions, GitLab, CircleCI) issue short-lived JWTs that AWS exchanges for STS credentials via sts:AssumeRoleWithWebIdentity. This eliminates long-lived AWS access keys stored as CI secrets — the most common source of AWS credential leaks.

What's the difference between an SCP and an IAM policy?

SCPs (Service Control Policies) are AWS Organizations guardrails that cap what any principal in a member account can do — they grant nothing on their own. IAM policies grant or deny specific permissions to specific identities. SCPs filter the menu; IAM policies make the order.

IAM is the keystone of AWS security. Treat every credential as ephemeral, prefer roles and federation over users, layer SCPs and permissions boundaries above identity policies, and continuously narrow permissions with Access Analyzer. Done right, IAM is invisible; done wrong, it is the breach.