IAM: users, roles & policies

Least privilege, roles over keys, evaluation.

Beginner30 min · lesson 2 of 15

IAM (Identity and Access Management) is the security control plane of AWS: every API call is authorized by IAM. Getting the model right — users, roles, policies, and least privilege — is the single most important security foundation for an architect.

Principals, policies, and evaluation

IAM policies grant or deny actions on resources to principals (users, roles, services). Evaluation is deny-by-default: a request is denied unless a policy explicitly allows it, and an explicit deny always overrides any allow. Prefer managed and custom policies scoped to exactly what a principal needs — the principle of least privilege — rather than broad grants. Organize human users into IAM groups so a common permission set is attached once and inherited, and always protect the root user with MFA and use it almost never, since it has unrestricted power that no policy can cap.

a least-privilege policy
# Allow read of ONE bucket's objects — nothing more.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": ["arn:aws:s3:::reports-prod", "arn:aws:s3:::reports-prod/*"]
}]
}
# Default-deny means every other action is denied automatically.

Roles: the key to secure architecture

Roles are the architect’s most important IAM tool: a role is a set of permissions assumed temporarily, delivering short-lived credentials with no long-lived keys to leak. Attach a role to an EC2 instance (an instance profile), a Lambda function, or an ECS task so it gets auto-rotated credentials from the metadata service — never store access keys on a server. Roles also enable cross-account access (assume a role in another account) and federation (SSO users assume roles). For organization-wide guardrails, Service Control Policies in AWS Organizations cap what entire accounts can do, even for their admins. The pattern throughout: identities get least-privilege roles, not standing keys.

How a workload gets AWS access
1attach a role
instance profile / task role / Lambda role
2workload assumes it
automatically, via the platform
3temporary credentials
auto-rotated, no stored keys
4scoped by policy
least privilege actions/resources
Roles deliver short-lived, scoped credentials to workloads. Never bake access keys into an AMI, container, or config.
Never store long-lived access keys on an instance
A hardcoded IAM access key on an EC2 instance or in a container image is a bearer credential that leaks with the image and never rotates. Attach an IAM role instead; the workload receives temporary, automatically-rotated credentials through the instance metadata service, with nothing to leak.