Mumen Tayyem
Blogs

AWS IAM: Your Friendly Guide to Users, Roles, and Policies! 🔐

What is AWS IAM?

AWS Identity and Access Management (IAM) is the service that controls who can access your AWS account and what they're allowed to do once they're in. Think of it as the security guard standing at the door of all your AWS resources, checking IDs and only letting people do exactly what they're permitted to do, nothing more, nothing less.

The best part? IAM is completely free, and getting it right is one of the most important things you can do to keep your cloud safe. 🛡️

Why should you care about IAM? 🤔

  • Security: Instead of sharing one all-powerful login, you give each person or application its own identity with only the permissions it actually needs.
  • Least privilege: If something gets compromised, the damage is limited to that one identity's narrow set of permissions.
  • No more hard-coded keys: Roles let your EC2 instances and other services talk to AWS securely without you storing secret keys anywhere.
  • Accountability: Every action is tied to an identity, so you always know who did what.

Important terms you should know about:

  • Root user: The email you signed up with. It can do everything, which is exactly why you should lock it away, enable MFA on it, and almost never use it for daily work.
  • IAM User: An identity for a real person or an application that needs long-term access. Each user gets its own credentials.
  • IAM Group: A bucket of users. Attach a policy to the group once, and every user inside it inherits those permissions. Perfect for teams (think a Developers group).
  • IAM Role: An identity that is assumed temporarily and has no permanent password or keys. Services like EC2 or Lambda assume a role to get short-lived credentials automatically. This is the magic that removes secret keys from your servers!
  • Policy: A JSON document that lists what is allowed (or denied). You attach policies to users, groups, or roles to grant them their powers.

What does a policy actually look like? 📜

A policy is just JSON. Every statement answers three questions: what actions (Action), on which resources (Resource), and allow or deny (Effect). Here's a real one. This is the exact least-privilege policy I use to let my deploy script push this blog to its S3 bucket and invalidate the CloudFront cache, and nothing else: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "SyncWebsiteBucket",
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject"
      ],
      "Resource": [
        "arn:aws:s3:::mumen.blog",
        "arn:aws:s3:::mumen.blog/*"
      ]
    },
    {
      "Sid": "InvalidateCloudFrontCache",
      "Effect": "Allow",
      "Action": "cloudfront:CreateInvalidation",
      "Resource": "arn:aws:cloudfront::123456789012:distribution/EXAMPLEID"
    }
  ]
}
💡 Notice how specific the Resource values are. This user can touch the mumen.blog bucket and one CloudFront distribution, but it can't poke around the rest of my account. That's least privilege in action!

Now, let's give IAM a spin! 🚀

Let's create a dedicated user for deployments instead of using our precious root account. Follow these easy steps:

  1. Log in to your AWS console.
  2. Navigate to IAM in the services panel.
  3. In the left menu choose Users, then click Create user.
  4. Give it a name, for example website-deployer, and click Next.
  5. On the permissions page choose Attach policies directly. For a quick start you can attach a managed policy like AmazonS3FullAccess, but for real projects click Create policy and paste a tight policy like the one above.
  6. Review everything and click Create user.
  7. Open the new user, go to the Security credentials tab, and click Create access key to generate the Access key ID and Secret access key your scripts and the AWS CLI will use.
  8. 🎉 That's it! You now have a safe, purpose-built identity for deployments.
⚠️ Treat your secret access key like a password. Never commit it to Git, and if it ever leaks, deactivate it immediately from this same screen.

Bonus: when to use a Role instead 🎭

Say one of your EC2 instances needs to read files from an S3 bucket. The wrong way is to copy an access key onto the server. The right way is to create an IAM role with the S3 permissions and attach it to the instance. AWS then hands the instance temporary credentials that rotate automatically, so there's nothing for you to store or leak. Whenever one AWS service needs to talk to another, reach for a role. 🙌

Summary

We learned what AWS IAM is, why it's the backbone of cloud security, and the difference between users, groups, roles, and policies. We even wrote a real least-privilege policy and created a dedicated deployment user. Lock down that root account, lean on roles for service-to-service access, and always grant the least privilege needed. Your future self will thank you! 🔐✨