AWS IAM
What is it?
IAM is AWS's system for controlling who can do what — it manages users, roles, and permissions across your cloud account.
Explain like I'm 5
Why was it created?
Giving everyone full access to a cloud account is dangerous. IAM was created to grant precise, least-privilege permissions to people and services.
Where is it used?
- Granting users and apps access
- Service-to-service permissions via roles
- Enforcing least privilege
- Auditing who can do what
Why should developers care?
Nearly every AWS task touches IAM, and misconfigured permissions are a leading cause of cloud security incidents.
How does it work?
IAM uses identities (users, groups, roles) and policies — documents that allow or deny specific actions on specific resources. When a request is made, IAM evaluates the relevant policies to allow or block it.
Real-world example
Instead of hardcoding keys, an application runs with an IAM role that grants it read-only access to one S3 bucket and nothing else.
Common use cases
- Least-privilege access control
- Temporary credentials via roles
- Separating duties across teams
- Securing service access
Advantages
- Fine-grained permissions
- Roles avoid long-lived keys
- Centralized access control
- Auditable policies
Disadvantages
- Policy syntax can be complex
- Easy to grant too much by accident
- Misconfiguration risks exposure
When should you use it?
Always, for any AWS account — to control and limit access.
When should you avoid it?
There's no avoiding access control; the choice is doing it well versus poorly.
Alternatives
Related terms
Interview questions
Beginner
- What does IAM control?
- What is least privilege?
Intermediate
- What is an IAM role versus a user?
- What is an IAM policy?
Senior
- Why prefer roles over long-lived access keys?
- How would you audit for over-permissioned identities?
Common misconceptions
- "IAM is only about human users" — it also governs how services and apps access resources, via roles.
- "Broad permissions are fine if it's internal" — least privilege limits the damage when something is compromised.
Fun facts
- IAM stands for Identity and Access Management.
- IAM roles provide temporary credentials, avoiding hardcoded long-lived keys.
Timeline
- 2011 — AWS IAM becomes generally available
Learning resources
Quick summary
AWS IAM controls who and what can access your cloud resources through identities and fine-grained policies, enforcing least privilege.
Cheat sheet
- Identity and Access Management
- Users, groups, roles + policies
- Enforce least privilege
- Prefer roles over static keys