L5. AWS IAM: Users, Groups, Roles, and Policies
Video generating
Check back soon for the video lesson on AWS IAM: Users, Groups, Roles, and Policies
AWS Identity and Access Management (IAM) controls who can do what in your AWS account. The Cloud Practitioner exam tests IAM users, groups, roles, policies, and the principle of least privilege.
What Is AWS IAM?
AWS Identity and Access Management (IAM) is a global service that controls authentication (who you are) and authorization (what you can do) in AWS. IAM is free.
IAM Components
IAM Users: individual identities for people or applications that need access to AWS. Each user has a username, password (for console), and optionally access keys (for API/CLI). IAM Groups: collections of IAM users. Permissions assigned to a group apply to all members. Groups make managing permissions at scale easier. IAM Roles: identities that can be assumed by AWS services, users, or applications. Roles use temporary credentials (no long-term password or access key). Roles are the recommended way to grant permissions to AWS services. IAM Policies: JSON documents that define allowed or denied actions. Policies are attached to users, groups, or roles.Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:PutObject"],
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}Key policy elements: Effect (Allow/Deny), Action (API operation), Resource (ARN).
IAM Best Practices
- Never use the root account for everyday tasks; create IAM users
- Enable MFA on the root account and privileged users
- Grant least privilege: give only the minimum permissions needed
- Use roles for applications on EC2, Lambda, and other services (not access keys)
- Rotate credentials regularly
- Use IAM Access Analyzer to identify external access and unused permissions
IAM Policy Evaluation Logic
When multiple policies apply, AWS evaluates them as follows:
- Explicit Deny: if any policy denies the action, it is denied
- Explicit Allow: if any policy allows the action (and no deny), it is allowed
- Implicit Deny: if no policy explicitly allows, the action is denied
Root Account vs. IAM Users
| Feature | Root Account | IAM User |
|---|---|---|
| Created when | Account sign-up | By administrator |
| Has full access | Always | Only if granted |
| Can be restricted | No | Yes (via policies) |
| Recommended use | Account management only | Day-to-day operations |
- ✓IAM Users have long-term credentials; IAM Roles use temporary credentials and are preferred for services
- ✓IAM Groups contain users; permissions assigned to a group apply to all members
- ✓Policies are JSON documents defining Allow or Deny for specific Actions on specific Resources
- ✓Explicit Deny always overrides Allow; no explicit Allow = implicit Deny
- ✓Never use the root account for daily tasks; enable MFA on root and privileged accounts
1. An EC2 instance needs to read objects from an S3 bucket. What is the AWS-recommended way to grant this permission?
2. A user is explicitly allowed to perform an action by one policy, but another policy explicitly denies the same action. What happens when the user attempts the action?
Recommended: Pluralsight
Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.