We'll explore how to securely manage access to your AWS resources
• What is IAM and why it's crucial in AWS
• Principals - Who can access your AWS resources
• Authentication - How AWS verifies identity
• Authorization - What actions are allowed
• Hands-on practice with real scenarios
Just like your office building has security badges, access cards, and different permissions for different employees, AWS IAM controls who can access what in your cloud environment!
Your House = AWS Account
Keys & Access Cards = IAM Credentials
Family Members & Guests = IAM Users
Room Permissions = IAM Policies
• Controls WHO can access your AWS resources
• Controls WHAT they can do with those resources
• Controls WHEN and WHERE they can access
• Is FREE to use (no additional charges)
• Works across ALL AWS services
Imagine you have a company AWS account. You want your developer to access only development servers, your accountant to see only billing, and your intern to have read-only access. IAM makes this possible!
Every actor (principal) has a role and performs specific actions on stage (AWS)
Who: Individual people (employees, contractors)
Example: Vikram (Developer), Harsh (Admin), Yash (Intern)
Use Case: Long-term access for specific individuals
Who: Collection of users with similar roles
Example: "Developers", "Interns", "Admins"
Use Case: Easier management of multiple users
Who: Applications, services, or temporary access
Example: "EC2-Access-Role", "Lambda-Execution-Role"
Use Case: Services accessing other services
Before you can buy sim card, the Telecom regulations asks for your ID to verify you are who you claim to be. AWS does the same thing!
What: Traditional login credentials
Used for: AWS Management Console (web interface)
Example: harsh@company.com / SecurePassword123
What: Access Key ID + Secret Access Key
Used for: Programmatic access (APIs, CLI)
Example: AKIAIOSFODNN7EXAMPLE / wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
What: Extra security layer (something you know + something you have)
Example: Password + Phone verification code
Best Practice: Always enable for important accounts!
• Never share access keys
• Rotate credentials regularly
• Always use MFA for admin accounts
• Use roles instead of long-term keys when possible
Once you badge into the office (authentication), your job role determines what floors you can access, what systems you can use, and what actions you can perform (authorization).
What: JSON documents that define permissions
Structure: Effect (Allow/Deny) + Action + Resource
Example: "Allow harsh to read S3 buckets but not delete them"
Identity-based: Attached to users, groups, roles
Resource-based: Attached to resources (like S3 buckets)
AWS Managed: Pre-built by AWS
Customer Managed: Created by you
Translation: "Allow reading files from my-bucket"
What: Short-term access tokens
Use Case: Mobile apps, cross-account access
Benefit: More secure than long-term keys
What: Use external identity providers
Example: Login with Google, Microsoft, or company Active Directory
Benefit: Single sign-on experience
What: Identifies resources shared with external entities
Use Case: Security auditing and compliance
Benefit: Prevents accidental data exposure
What: Logs all IAM actions
Use Case: Auditing and troubleshooting
Benefit: Complete activity history
• Create your first IAM user
• Set up groups and assign permissions
• Create and attach policies
• Configure MFA
• Work with roles
• IAM is the foundation of AWS security
• Principals define WHO (Users, Groups, Roles)
• Authentication verifies identity (passwords, keys, MFA)
• Authorization controls permissions (policies)
• Best practices keep your AWS account secure
Principals - WHO
Authentication - HOW they prove identity
Authorization - WHAT they can do
1. Practice the hands-on exercises
2. Experiment with different policies
3. Set up MFA on your own account
4. Ready to learn about AWS services like S3, EC2!