AWS Identity and Access Management (IAM) provides access control for AWS users/applications to the various AWS services and resources.


  • Available only in the Global region
  • Globally resiliant service
  • Always free service

Account Types

There are a number of account types that can be configured in an AWS environment.

  • Root - The email address used to sign up for the AWS account. Full administrative access.
  • User - A single physical person.
  • Group - Collection of users based on job function (admin, developer, etc).
  • Role - Control access between AWS services (EG: EC2 -> S3).

Credential Types

Credentials are used to secure access to AWS user accounts.

  • Username/Password - The default login credentials for users.
  • MFA - Multi-Factor Auth adds an additional authenticaiton mechanism to Username/Password logins.
  • Access Key ID/Secret access key - Allows programatic access to AWS resources and services.

Policy Documents

  • IAM policy documents define access permissions and can be assigned to users, groups and roles.
  • Policy documents are written in JSON format. An example AWS built-in document PowerUserAccess is below.
"Version": "2012-10-17",
"Statement": [
        "Effect": "Allow",
        "NotAction": [
        "Resource": "*"
        "Effect": "Allow",
        "Action": [
        "Resource": "*"


  • By default, new users have no permissions when created.
  • There is a limit of 5000 IAM users per/account.
  • IAM users can be a member of 10 groups maximum.

Best Practices

  • Secure the root account with Multi-Factor Authentication (MFA).
  • Do not use the root account for day to day management.
  • Folow the principle of least privilege when assigning permissions.
  • Create user groups with appropriate permissions and assign users to the appropriate group(s).
  • Assign IAM policy documents to groups and/or roles. Do not assign them to users.
  • Setup a password rotation policy.
# aws
# iam
# cloud