Madan Belbase Madan Belbase

Understanding AWS IAM Users, Roles, and Policies for Security

AWS
• 8 min read

Understanding AWS IAM Users, Roles, and Policies for Security

Learning AWS is quite interesting and enjoyable, especially if you’re a beginner trying to explore it. You might find yourself asking questions like: How is AWS secure? How does it provide secure access to users and admins? How does it work behind the scenes?

If these questions are on your mind, this blog is for you. We’ll dive into AWS Identity and Access Management (IAM), exploring its core components—Users, Roles, and Policies—and walk through a hands-on demo to set them up.

IAM: Your AWS Security Foundation

To understand the security foundation in AWS, we first need to know what IAM is, why it’s important, and its core components: Users, Roles, and Policies.

AWS Identity and Access Management (IAM) is the core service that helps you securely control access to AWS resources. Think of IAM as the security guard and gatekeeper for your AWS account. It handles two critical tasks:

  1. Authentication: Verifying the identity of who is trying to access your account (Are you who you say you are?).
  2. Authorization: Determining what an authenticated identity is allowed to do (What are you permitted to see or change?).

Everything in AWS—from launching an EC2 instance to storing files in S3—is governed by IAM. Properly configuring IAM is crucial to ensure your cloud environment is secure by design.

AWS Console Home - All services
AWS Console Home - All services

Core Trio: Users, Policies, and Roles

Let’s break down the three main components of IAM in a simple way.

Users

A User is an entity (a person or application) that needs access to your AWS account. Each user gets a permanent set of credentials, such as a username and password for console access or access keys for programmatic access, to interact with AWS services.

Groups

A Group is a collection of users. Instead of assigning permissions to each user individually, you can group users and assign permissions to the group. All users in the group inherit those permissions. For example, you can create a “Developers” group with access to EC2, and all users in that group will automatically gain EC2 access.

Roles

A Role is similar to a user but doesn’t have permanent credentials. Instead, roles provide temporary access to AWS resources. They are typically used by applications, services, or users who need access for a specific purpose or duration. Roles are assumed temporarily using security tokens.

Policies

A Policy is a JSON document that defines what a user, group, or role is allowed or not allowed to do in AWS. Policies are attached to users, groups, or roles to control their permissions. Policies specify actions, resources, and conditions for access.

Hands-On Demo: Setting Up IAM Users, Groups, Policies, and Roles

Let’s walk through the process of creating an IAM user, adding them to a group, creating a custom policy, and setting up a role in AWS. For this demo, you’ll need an AWS account.

Step 1: Create a User (Example: Developer)

  1. Log in to the AWS Management Console.

  2. Navigate to Security, Identity, & Compliance from the AWS Console home, then select IAM.

    AWS Console Home - All services
    AWS Console Home - All services

  3. The IAM dashboard will appear.

    IAM Dashboard
    IAM Dashboard

  4. From the left menu, under Access Management, select Users.

    IAM Users Dashboard
    IAM Users Dashboard

  5. Click Create User. Enter a user name (e.g., “Developer”) and select the access type (e.g., console access with a password or programmatic access with access keys).

    Create User Step 1
    Create User Step 1

  6. Proceed to Set Permissions. You can attach policies directly or add the user to a group (we’ll cover groups next). For now, select an existing policy like AmazonS3ReadOnlyAccess.

    Create User Step 2 - Attach Policy
    Create User Step 2 - Attach Policy

  7. Review the user details and click Create User. Return to the IAM dashboard to view your new user.

Step 2: Create a User Group

  1. From the IAM dashboard, go to Access Management > User Groups.

  2. Click Create Group. Enter a group name (e.g., “Developers”).

    Create User Group Step 1
    Create User Group Step 1

  3. Attach policies to the group (e.g., AmazonEC2FullAccess) and add users (e.g., the “Developer” user created earlier).

    Create User Group Step 2
    Create User Group Step 2

  4. Review and create the group. Now, all users in the “Developers” group inherit the attached policies.

Step 3: Create a Custom Policy

  1. From the IAM dashboard, go to Access Management > Policies.

  2. Click Create Policy.

    Create Policy Step 1
    Create Policy Step 1

  3. Use the Visual Editor or JSON tab to define permissions. For example, to allow read-only access to an S3 bucket:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::your-bucket-name/*",
                "arn:aws:s3:::your-bucket-name"
            ]
        }
    ]
}
    Create Policy Step 2 - JSON Editor
    Create Policy Step 2 - JSON Editor

  4. Review, name the policy (e.g., “CustomS3ReadPolicy”), and create it.

    Create Policy Step 3 - Review
    Create Policy Step 3 - Review

  5. Attach this policy to a user, group, or role as needed.

Step 4: Create a Role

  1. From the IAM dashboard, go to Access Management > Roles.

  2. Click Create Role. Select the trusted entity (e.g., an AWS service like EC2 or another AWS account).

    Create Role Step 1
    Create Role Step 1

  3. Attach policies to the role (e.g., AmazonS3FullAccess).

    Create Role Step 2 - Attach Policy
    Create Role Step 2 - Attach Policy

  4. Review, name the role (e.g., “EC2S3AccessRole”), and create it.

    Create Role Step 3 - Review
    Create Role Step 3 - Review

  5. This role can now be assumed by an EC2 instance or another AWS service to access S3 resources temporarily.

Best Practices for AWS IAM Security

  1. Follow the Principle of Least Privilege: Only grant the permissions necessary for a user, group, or role to perform their tasks.
  2. Use Groups for Permissions: Assign policies to groups rather than individual users for easier management.
  3. Enable MFA (Multi-Factor Authentication): Add an extra layer of security for all users, especially those with sensitive access.
  4. Rotate Credentials Regularly: Update access keys and passwords periodically to reduce the risk of compromised credentials.
  5. Use Roles for Temporary Access: Prefer roles over long-term credentials for applications and services.
  6. Monitor IAM Activity: Use AWS CloudTrail to track IAM actions and detect unauthorized access.

Conclusion

AWS IAM is the backbone of cloud security, ensuring that only authorized identities can access your resources. By understanding and properly configuring Users, Groups, Roles, and Policies, you can build a secure and scalable AWS environment. This hands-on demo should give you the confidence to start managing IAM in your own AWS account.

Try creating users, groups, policies, and roles in your AWS console, and explore additional IAM features like MFA and permission boundaries to further enhance your security posture.

Happy cloud computing!

← Back to all posts