Skip to content

AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) Overview

  • Definition: AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely. It provides fine-grained control over who can do what, using identities, policies, and roles.
  • Key Features:
    • Manages users, groups, roles, and policies for access control.
    • Supports identity federation, multi-factor authentication (MFA), and attribute-based access control (ABAC).
    • Integrates with AWS services (e.g., EC2, S3, Lambda) and external identity providers (e.g., Active Directory, SAML, OIDC).
    • Offers monitoring via CloudTrail and IAM Access Analyzer for security insights.
  • Use Cases: Secure application access, manage hybrid cloud permissions, enforce least privilege, comply with regulations, automate access for serverless apps.
  • Key Updates (2024–2025):
    • Enhanced ABAC: Simplified tag-based policies with new conditions (October 2024).
    • IAM Access Analyzer Improvements: Cross-account trust analysis and unused permission detection (March 2024).
    • MFA Enhancements: Passwordless MFA with passkeys (January 2025).
    • FIPS 140-2 Compliance: Enhanced for IAM in AWS GovCloud (October 2024).

1. IAM Core Concepts

Components

  • IAM User:
    • An identity representing a person or application with AWS credentials (access key, password).
    • Best for long-term access (e.g., admin, developer).
    • Explanation: E.g., IAM user “alice” with console access to S3.
  • IAM Group:
    • A collection of IAM users for easier policy management.
    • Policies applied to groups affect all members.
    • Explanation: E.g., “Developers” group with EC2 read permissions.
  • IAM Role:
    • An identity with temporary credentials for AWS services, applications, or federated users.
    • Assumed via STS (Security Token Service) for short-term access.
    • Explanation: E.g., EC2 role for S3 access, Lambda execution role.
  • IAM Policy:
    • JSON document defining permissions (allow/deny) for actions, resources, and conditions.
    • Types:
      • Managed Policies: AWS-managed or customer-managed, reusable.
      • Inline Policies: Embedded in user/group/role, non-reusable.
    • Explanation: E.g., policy allows s3:GetObject on my-bucket.
  • Access Key:
    • Programmatic credentials (access key ID, secret access key) for CLI/API access.
    • Explanation: E.g., access key for CI/CD pipeline to S3.
  • MFA:
    • Adds a second authentication factor (e.g., virtual MFA, hardware, passkeys).
    • Required for sensitive actions (e.g., root user, IAM changes).
    • Explanation: E.g., virtual MFA on admin user.

Key Concepts

  • Principle of Least Privilege:
    • Grant only the permissions needed to perform a task.
    • Explanation: E.g., Lambda role with dynamodb:GetItem only.
  • Policy Evaluation:
    • AWS evaluates all applicable policies (identity-based, resource-based, SCPs) to determine access.
    • Deny overrides Allow; explicit Allow required.
    • Explanation: E.g., deny in SCP blocks S3 access despite role Allow.
  • Identity Federation:
    • Allows external identities (e.g., AD, Google) to access AWS via SAML, OIDC, or Web Identity.
    • Explanation: E.g., SAML federation with Active Directory for SSO.
  • Attribute-Based Access Control (ABAC):
    • Uses tags to control access dynamically (e.g., Project:Finance).
    • Enhanced conditions for tags (new 2024).
    • Explanation: E.g., allow S3 access if ResourceTag/Environment=Prod.
  • Security Token Service (STS):
    • Issues temporary credentials for roles or federated users.
    • Supports AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity.
    • Explanation: E.g., EC2 assumes role for temporary S3 access.

Key Notes:

  • Exam Relevance: Understand users, groups, roles, policies, MFA, and ABAC.
  • Mastery Tip: Compare IAM roles vs. users vs. resource-based policies for access control.

2. IAM Performance Features

IAM optimizes secure access management.

Low Latency

  • Purpose: Fast permission evaluation.
  • Features:
    • Policies cached globally for quick access checks.
    • ABAC reduces policy complexity with tag-based rules (new 2024).
  • Explanation: E.g., ABAC policy evaluates Environment=Prod in milliseconds.
  • Exam Tip: Use ABAC for dynamic, low-latency access.

High Throughput

  • Purpose: Handle high request volumes.
  • Features:
    • Scales to millions of API calls (e.g., S3 access checks).
    • Managed policies reusable across thousands of identities.
  • Explanation: E.g., Lambda role handles 10,000 S3 requests/second.
  • Exam Tip: Highlight scalability for enterprise apps.

Scalability

  • Purpose: Support growing organizations.
  • Features:
    • Supports thousands of users, roles, and policies per account.
    • Federation scales for external identities (e.g., 10,000 AD users).
  • Explanation: E.g., federate 5,000 employees via SAML for AWS access.
  • Exam Tip: Use roles and federation for large-scale access.

Key Notes:

  • Performance: Cached policies + ABAC + scalability = efficient access control.
  • Exam Tip: Emphasize IAM for high-throughput, scalable security.

3. IAM Resilience Features

Resilience ensures reliable access control.

Global Redundancy

  • Purpose: Survive Regional failures.
  • Features:
    • IAM is a global service, replicated across AWS Regions.
    • Policies and credentials available even if a Region fails.
  • Explanation: E.g., IAM user in us-east-1 accesses S3 in us-west-2 during outage.
  • Exam Tip: Highlight global scope for HA.

Temporary Credentials:

  • Purpose: Reduce risk of credential compromise.
  • Features:
    • Roles and STS provide short-lived credentials (15 minutes–36 hours).
    • Automatically rotate credentials for assumed roles.
  • Explanation: E.g., EC2 role credentials expire after 1 hour.
  • Exam Tip: Use roles for temporary, resilient access.

Monitoring and Recovery:

  • Purpose: Detect and respond to issues.
  • Features:
    • CloudTrail logs IAM actions (e.g., CreateUser, AssumeRole).
    • IAM Access Analyzer identifies unused permissions, cross-account trusts (new 2024).
    • Alarms for unauthorized access attempts.
  • Explanation: E.g., alert on failed AssumeRole attempts.
  • Exam Tip: Use CloudTrail and Access Analyzer for resilience.

MFA Protection:

  • Purpose: Prevent unauthorized access.
  • Features:
    • MFA required for sensitive actions (e.g., IAM changes).
    • Passwordless MFA with passkeys (new 2025).
  • Explanation: E.g., MFA on root user for account recovery.
  • Exam Tip: Enforce MFA for critical identities.

Key Notes:

  • Resilience: Global redundancy + temporary credentials + monitoring = reliable IAM.
  • Exam Tip: Design resilient access with roles, MFA, and Access Analyzer.

4. IAM Security Features

Security is the core focus of IAM for SAA-C03.

Access Control

  • Identity-Based Policies:
    • Attached to users, groups, or roles to grant permissions.
    • Example: {"Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::my-bucket/*"}.
  • Resource-Based Policies:
    • Attached to resources (e.g., S3 bucket, SNS topic) to control access.
    • Example: S3 bucket policy allows cross-account access.
  • Service Control Policies (SCPs):
    • Used in AWS Organizations to set permission boundaries for accounts.
    • Example: SCP denies iam:CreateUser in non-admin accounts.
  • Condition Keys:
    • Restrict permissions based on context (e.g., IP, time, tags).
    • Enhanced ABAC conditions (new 2024).
    • Example: {"Condition": {"StringEquals": {"aws:ResourceTag/Environment": "Prod"}}}.
  • Exam Tip: Practice policy types and condition keys.

Identity Federation

  • SAML 2.0:
    • Integrates with enterprise IdPs (e.g., Active Directory, Okta) for SSO.
    • Explanation: E.g., AD users assume IAM role via SAML.
  • OIDC/Web Identity:
    • Integrates with external providers (e.g., Google, Cognito) for app access.
    • Explanation: E.g., mobile app uses Cognito to assume role.
  • Exam Tip: Know federation for SSO and app access.

Encryption

  • In Transit:
    • HTTPS for IAM API calls and console access.
    • Explanation: E.g., secure CreateRole API call.
  • At Rest:
    • IAM credentials (e.g., access keys) encrypted with KMS.
    • Explanation: E.g., KMS encrypts secret access key.
  • Exam Tip: Highlight HTTPS and KMS for compliance.

MFA and Password Policies:

  • Purpose: Secure identities.
  • Features:
    • Enforce MFA for users/roles (virtual, hardware, passkeys).
    • Password policies (e.g., min length, complexity).
  • Explanation: E.g., require 12-character passwords and MFA.
  • Exam Tip: Enforce MFA for sensitive actions.

IAM Access Analyzer:

  • Purpose: Identify security risks.
  • Features:
    • Detects unused permissions, roles, and cross-account trusts (new 2024).
    • Validates policies for correctness.
  • Explanation: E.g., flag unused EC2 role permissions.
  • Exam Tip: Use Access Analyzer for least privilege.

Compliance

  • Certifications: HIPAA, PCI, SOC, ISO, GDPR, FIPS 140-2 (GovCloud).
  • Explanation: E.g., use IAM for PCI-compliant access control.

Key Notes:

  • Security: Policies + federation + MFA + Access Analyzer = robust protection.
  • Exam Tip: Configure policies, MFA, and federation for secure access.

5. IAM Cost Optimization

Cost efficiency is a key exam domain.

Pricing

  • IAM: Free for users, groups, roles, policies, and MFA.
  • Related Costs:
    • CloudTrail: $2.00/100,000 events (first copy free in some Regions).
    • KMS: $1.00/key/month, $0.03/10,000 requests.
    • STS: Free for role assumptions.
  • Example:
    • 1,000 IAM users, 100 roles, CloudTrail for IAM actions (100,000 events):
      • IAM: $0.
      • CloudTrail: First copy free, additional $2.00.
      • Total: $2.00/month (if additional trail).
    • Add KMS for 10 keys: 10 × $1.00 = $10.00/month.
  • Free Tier: IAM free, CloudTrail first copy free.

Cost Strategies

  • Minimize CloudTrail Costs:
    • Use single trail for IAM events, avoid multiple trails.
    • Explanation: E.g., one trail for all IAM actions.
  • Optimize KMS Usage:
    • Reuse KMS keys for multiple IAM credentials.
    • Explanation: E.g., single KMS key for all access keys.
  • Consolidate Policies:
    • Use managed policies to reduce maintenance overhead.
    • Explanation: E.g., one managed policy for 100 users.
  • Use Access Analyzer:
    • Remove unused roles/permissions to avoid over-provisioning.
    • Explanation: E.g., delete unused EC2 role.
  • Tagging:
    • Use cost allocation tags to track IAM-related costs (e.g., CloudTrail, KMS).
    • Explanation: E.g., tag KMS key with “Project:Security”.
  • Monitor Usage:
    • Use CloudTrail and Access Analyzer to optimize permissions.
    • Explanation: E.g., remove unused access keys.

Key Notes:

  • Cost Savings: Single trail + reused KMS + managed policies = lower costs.
  • Exam Tip: Highlight IAM as free, focus on CloudTrail/KMS costs.

6. IAM Advanced Features

Attribute-Based Access Control (ABAC):

  • Purpose: Dynamic access control.
  • Features:
    • Uses tags on resources/users (e.g., Environment=Prod).
    • New condition keys for complex ABAC (2024).
  • Explanation: E.g., allow s3:PutObject if ResourceTag/Project=Finance.
  • Exam Tip: Use ABAC for scalable permissions.

IAM Access Analyzer:

  • Purpose: Security auditing.
  • Features:
    • Identifies unused permissions, cross-account trusts, public resources (new 2024).
    • Generates least-privilege policies.
  • Explanation: E.g., flag public S3 bucket access.
  • Exam Tip: Use Analyzer for compliance audits.

Passwordless MFA:

  • Purpose: Enhanced security.
  • Features:
    • Passkeys for passwordless MFA (new 2025).
    • Supports WebAuthn, biometric devices.
  • Explanation: E.g., use passkey for admin login.
  • Exam Tip: Know MFA enhancements for security.

Cross-Account Role Assumption:

  • Purpose: Secure multi-account access.
  • Features:
    • Roles in one account assumed by users/services in another.
    • Requires trust policy and permissions.
  • Explanation: E.g., dev account role assumed by prod account Lambda.
  • Exam Tip: Configure trust policies for multi-account.

Service-Linked Roles:

  • Purpose: Automatic service access.
  • Features:
    • Predefined roles for AWS services (e.g., AWSServiceRoleForECS).
    • Created/managed by AWS.
  • Explanation: E.g., ECS service-linked role for task management.
  • Exam Tip: Know service-linked roles for automation.

Key Notes:

  • Flexibility: ABAC + Access Analyzer + passkeys = advanced security.
  • Exam Tip: Know ABAC, Analyzer, and cross-account roles for enterprise scenarios.

7. IAM Use Cases

Understand practical applications.

Secure Application Access

  • Setup: IAM role for Lambda, S3 policy.
  • Features: Least privilege, temporary credentials.
  • Explanation: E.g., Lambda role accesses specific S3 bucket.

Enterprise SSO

  • Setup: SAML federation with Active Directory.
  • Features: Centralized identity, seamless AWS access.
  • Explanation: E.g., AD users access AWS console via SSO.

Multi-Account Management

  • Setup: AWS Organizations, SCPs, cross-account roles.
  • Features: Centralized governance, secure access.
  • Explanation: E.g., SCP restricts IAM changes in dev accounts.

Compliance Auditing

  • Setup: IAM Access Analyzer, CloudTrail Explanation: E.g., use Access Analyzer to identify unused roles.

8. IAM vs. Other Identity Services

Feature IAM Cognito AWS SSO
Type Access Control User Authentication Enterprise SSO
Workload AWS resource access App user management Cross-account SSO
Use Case EC2, S3 permissions Mobile/web app login Multi-account access
Auth Method IAM users, roles User pools, identity pools SAML, OIDC
Cost Free (except KMS, CloudTrail) Pay-per-user Free with Organizations

Explanation:

  • IAM: AWS resource access control, roles, policies.
  • Cognito: User authentication for apps, user pools.
  • AWS SSO: Enterprise SSO for multi-account access.

9. Detailed Explanations for Mastery

  • ABAC:
    • Example: Allow s3:GetObject if ResourceTag/Environment=Prod.
    • Why It Matters: Scalable permissions—new for 2024.
  • IAM Access Analyzer:
    • Example: Identify unused EC2 role with public access.
    • Why It Matters: Security auditing—new for 2024.
  • Passwordless MFA:
    • Example: Use passkey for admin console login.
    • Why It Matters: Enhanced security—new for 2025.

10. Quick Reference Table

Feature Purpose Key Detail Exam Relevance
IAM User/Group Manage identities Long-term access, group policies Core Concept
IAM Role Temporary access Assumed via STS, service access Core Concept
IAM Policy Define permissions JSON, managed/inline, conditions Core Concept
ABAC Dynamic access Tag-based, new conditions (2024) Security, Scalability
Access Analyzer Security auditing Unused permissions, trusts (2024) Security, Resilience
MFA Secure authentication Virtual, hardware, passkeys (2025) Security
Federation External identity access SAML, OIDC, Web Identity Security, Scalability