Security and IAM
Control identity and access using IAM users, roles, and policies with least privilege and practical governance patterns.
What Is It? (ELI5)
IAM is a permission system. It decides who can do what on which AWS resource.
Why Do We Need It?
- Prevent unauthorized changes and data exposure.
- Enable secure automation with role-based access.
- Meet audit and compliance requirements.
How It Works (Technical)
- User: Human identity, often with MFA.
- Role: Temporary credentials for services/workloads.
- Policy: JSON rules for allow/deny actions.
- Best practice: Prefer roles and federation over long-lived access keys.
| AWS IAM | Azure Equivalent |
|---|---|
| IAM User | Entra user |
| IAM Role | Managed Identity / App Registration role assignment |
| IAM Policy | Azure RBAC role definition + conditions |
Hands-on
# List IAM users aws iam list-users --query "Users[].UserName" --output table # Simulate policy permission aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/dev-user \ --action-names s3:PutObject --resource-arns arn:aws:s3:::my-bucket/*
Debugging Scenario
Problem
Deployment pipeline fails with AccessDenied for S3 and CloudFormation.
- Review execution role policy scope and explicit denies.
- Check trust policy allows CI/CD service to assume role.
- Validate region/account mismatch in resource ARN.
Interview Questions
Beginner: Why use IAM roles instead of sharing access keys?
Roles provide temporary credentials and reduce secret sprawl.
Roles provide temporary credentials and reduce secret sprawl.
Intermediate: What is least privilege?
Grant only required actions on required resources for required duration.
Grant only required actions on required resources for required duration.
Scenario: An EC2 app needs S3 read access only. How do you secure it?
Attach an instance role with read-only S3 policy scoped to a specific bucket path.
Attach an instance role with read-only S3 policy scoped to a specific bucket path.
Real-world Usage
Enterprises integrate IdP federation for workforce users and use short-lived assumed roles for production operations.
Summary
- IAM is foundational to AWS security.
- Use roles, MFA, and scoped policies by default.
- AccessDenied debugging usually starts with policy + trust + ARN scope checks.