IAM quick notes for AWS Solution Architect Certification


  1. IAM is used to securely control individual and group access to AWS resources

2. IAM can be used to manage:

  • Users
  • Groups
  • Access policies
  • Roles
  • User credentials
  • User password policies
  • Multi-factor authentication (MFA)
  • API keys for programmatic access (CLI)

3. By default, new users are created with NO access to any AWS services

4. IAM is universal (global) and does not apply to regions

5. IAM is eventually consistent

Authentication methods:

  • Console password — use to login to AWS Management Console
  • Access keys — used for programmatic access
  • Server certificates — uses SSL/TLS certificates

IAM Users

  • IAM user is an entity that represents a person or service.
  • Root user credentials are the email address used to create the account and a password.
  • The root account has full administrative permissions, and these cannot be restricted.
  • You can have up to 5000 users per AWS account

IAM Groups

  • Groups are collections of users and have policies attached to them
  • A group is not an identity and cannot be identified as a principal in an IAM policy
  • You cannot nest groups (groups within groups)

IAM Roles

  • Roles are created and then “assumed” by trusted entities
  • With IAM Roles you can delegate permissions to resources for users and services
  • IAM users or AWS services can assume a role to obtain temporary security credentials
  • Temporary security credentials are issued by the AWS Security Token Service (STS)

IAM Policies

  • Policies are documents that define permissions and can be applied to users, groups, and roles
  • Policy documents are written in JSON
  • All permissions are implicitly denied by default
  • The most restrictive policy is applied

Types of IAM Policy

  1. Identity-based policies — attached to users, groups, or roles
  2. Resource-based policies — attached to a resource; define permissions for a principal accessing the resource
  3. IAM permissions boundaries — set the maximum permissions an identity-based policy can grant an IAM entity
  4. AWS Organizations service control policies (SCP) — specify the maximum permissions for an organization or OU ( Organisational Unit )
  5. Session policies — used with AssumeRole* API actions

IAM Best Practices

  • Lock away your AWS account root user access keys
  • Create individual IAM users
  • Use groups to assign permissions to IAM users
  • Grant least privilege
  • Get started using permissions with AWS-managed policies
  • Use customer-managed policies instead of inline policies
  • Use access levels to review IAM permissions
  • Configure a strong password policy for your users
  • Enable MFA
  • Use roles for applications that run on Amazon EC2 instances
  • Use roles to delegate permissions
  • Do not share access keys
  • Rotate credentials regularly
  • Remove unnecessary credentials
  • Use policy conditions for extra security
  • Monitor activity in your AWS account


Domain: 3. Design Secure Applications and Architectures

Subdomain: 1. Design secure access to AWS resources

Possible No of Questions: 4 ( approx )

Question patterns:

  • Determine when to choose between users, groups, and roles
  • Interpret the net effect of a given access policy.
  • Select appropriate techniques to secure a root account.
  • Determine ways to secure credentials using features of AWS IAM.
  • Determine the secure method for an application to access AWS APIs.

Writer: Mounick



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store