Tech Terms Explained Open in the app →

AWS IAM

Security · Intermediate · 5 min read

What is it?

IAM is AWS's system for controlling who can do what — it manages users, roles, and permissions across your cloud account.

Explain like I'm 5

IAM is like a building's security office that issues key cards: each card opens only the doors that person is allowed through, and nothing more.

Why was it created?

Giving everyone full access to a cloud account is dangerous. IAM was created to grant precise, least-privilege permissions to people and services.

Where is it used?

  • Granting users and apps access
  • Service-to-service permissions via roles
  • Enforcing least privilege
  • Auditing who can do what

Why should developers care?

Nearly every AWS task touches IAM, and misconfigured permissions are a leading cause of cloud security incidents.

How does it work?

IAM uses identities (users, groups, roles) and policies — documents that allow or deny specific actions on specific resources. When a request is made, IAM evaluates the relevant policies to allow or block it.

Real-world example

Instead of hardcoding keys, an application runs with an IAM role that grants it read-only access to one S3 bucket and nothing else.

Common use cases

  • Least-privilege access control
  • Temporary credentials via roles
  • Separating duties across teams
  • Securing service access

Advantages

  • Fine-grained permissions
  • Roles avoid long-lived keys
  • Centralized access control
  • Auditable policies

Disadvantages

  • Policy syntax can be complex
  • Easy to grant too much by accident
  • Misconfiguration risks exposure

When should you use it?

Always, for any AWS account — to control and limit access.

When should you avoid it?

There's no avoiding access control; the choice is doing it well versus poorly.

Alternatives

Cloud-specific IAM on Azure/GCPThird-party identity providers (federated into IAM)

Related terms

AWSOAuthAWS Secrets ManagerAmazon Cognito

Interview questions

Beginner

  • What does IAM control?
  • What is least privilege?

Intermediate

  • What is an IAM role versus a user?
  • What is an IAM policy?

Senior

  • Why prefer roles over long-lived access keys?
  • How would you audit for over-permissioned identities?

Common misconceptions

  • "IAM is only about human users" — it also governs how services and apps access resources, via roles.
  • "Broad permissions are fine if it's internal" — least privilege limits the damage when something is compromised.

Fun facts

  • IAM stands for Identity and Access Management.
  • IAM roles provide temporary credentials, avoiding hardcoded long-lived keys.

Timeline

  • 2011 — AWS IAM becomes generally available

Learning resources

Quick summary

AWS IAM controls who and what can access your cloud resources through identities and fine-grained policies, enforcing least privilege.

Cheat sheet

  • Identity and Access Management
  • Users, groups, roles + policies
  • Enforce least privilege
  • Prefer roles over static keys

If you remember only one thing

IAM grants precise, least-privilege access to your cloud — get it wrong and you get breaches.