Core Concepts
- IAM is global — not region-specific.
- Root account should never be used for daily tasks. Enable MFA immediately.
- Users, Groups, Roles, and Policies are the four building blocks.
- Policies are JSON documents that define permissions (Effect, Action, Resource).
- By default, all permissions are implicitly denied.
Policies
- Identity-based policies are attached to users, groups, or roles.
- Resource-based policies are attached to resources (e.g., S3 bucket policy).
- AWS managed policies cover common use cases. Customer managed for custom needs.
- Inline policies have a 1:1 relationship with the principal.
- Explicit Deny always overrides any Allow.
- Policy evaluation: Deny by default → Evaluate all → Explicit Deny wins.
Roles
- Roles are assumed temporarily using STS (Security Token Service).
- EC2 instance profiles attach IAM roles to instances.
- Cross-account access: create role in target account, assume from source.
- Service-linked roles are predefined by AWS services.
- Maximum session duration: 1 hour (default) to 12 hours.
Security Best Practices
- Enable MFA on root and all IAM users.
- Use IAM Access Analyzer to identify unused access.
- Rotate access keys regularly; prefer roles over long-term keys.
- Use AWS Organizations SCPs for account-level guardrails.
- Implement least privilege principle — start with minimum permissions.
Practice IAM Questions
Put your knowledge to the test with practice questions.