Cyber Intelligence
Security and Compliance · 30% of exam

L5. AWS IAM: Users, Groups, Roles, and Policies

Video generating

Check back soon for the video lesson on AWS IAM: Users, Groups, Roles, and Policies

AWS Identity and Access Management (IAM) controls who can do what in your AWS account. The Cloud Practitioner exam tests IAM users, groups, roles, policies, and the principle of least privilege.

What Is AWS IAM?

AWS Identity and Access Management (IAM) is a global service that controls authentication (who you are) and authorization (what you can do) in AWS. IAM is free.

IAM Components

IAM Users: individual identities for people or applications that need access to AWS. Each user has a username, password (for console), and optionally access keys (for API/CLI). IAM Groups: collections of IAM users. Permissions assigned to a group apply to all members. Groups make managing permissions at scale easier. IAM Roles: identities that can be assumed by AWS services, users, or applications. Roles use temporary credentials (no long-term password or access key). Roles are the recommended way to grant permissions to AWS services. IAM Policies: JSON documents that define allowed or denied actions. Policies are attached to users, groups, or roles.

Policy Structure

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

Key policy elements: Effect (Allow/Deny), Action (API operation), Resource (ARN).

IAM Best Practices

  1. Never use the root account for everyday tasks; create IAM users
  2. Enable MFA on the root account and privileged users
  3. Grant least privilege: give only the minimum permissions needed
  4. Use roles for applications on EC2, Lambda, and other services (not access keys)
  5. Rotate credentials regularly
  6. Use IAM Access Analyzer to identify external access and unused permissions

IAM Policy Evaluation Logic

When multiple policies apply, AWS evaluates them as follows:

  1. Explicit Deny: if any policy denies the action, it is denied
  2. Explicit Allow: if any policy allows the action (and no deny), it is allowed
  3. Implicit Deny: if no policy explicitly allows, the action is denied

Root Account vs. IAM Users

FeatureRoot AccountIAM User
Created whenAccount sign-upBy administrator
Has full accessAlwaysOnly if granted
Can be restrictedNoYes (via policies)
Recommended useAccount management onlyDay-to-day operations
Exam tip: Explicit Deny always wins. IAM roles use temporary credentials and are preferred over long-term access keys for applications. MFA should always be enabled on the root account.

Exam Focus Points
  • IAM Users have long-term credentials; IAM Roles use temporary credentials and are preferred for services
  • IAM Groups contain users; permissions assigned to a group apply to all members
  • Policies are JSON documents defining Allow or Deny for specific Actions on specific Resources
  • Explicit Deny always overrides Allow; no explicit Allow = implicit Deny
  • Never use the root account for daily tasks; enable MFA on root and privileged accounts
Knowledge Check

1. An EC2 instance needs to read objects from an S3 bucket. What is the AWS-recommended way to grant this permission?

2. A user is explicitly allowed to perform an action by one policy, but another policy explicitly denies the same action. What happens when the user attempts the action?

Recommended: Pluralsight

Complement these lessons with Pluralsight: structured CLF-C02 learning paths, AWS hands-on labs, and realistic practice questions for exam day.

Start CLF-C02 prep free10-day free trial available