• Home
  • Articles
  • Cloud
  • AWS
  • A Beginners Guide to AWS Identity and Access Management (IAM)

A Beginners Guide to AWS Identity and Access Management (IAM)

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and what resources they can use and in what ways (authorization)[1].

Key features

The key IAM features are,

  • Provides centralized control
  • IAM is universal, i.e across all regions
  • Allows you to provide granular permissions to your services
  • Offers Multi-factor Authentication (MFA)
  • Can provide temporary access to your services
  • You can create and customize your own password policies
  • PCI DSS Compliant
  • New users have no permissions.


IAM is comprised of users, groups, roles and policies,


A user is used to provide authentication into the AWS Management Console and also when using the AWS API or CLI. A user comprises of a name, a password for AWS management console login, and access keys for use with the CLI or API.


Simply put, an IAM group is a collection of IAM users.


Roles, like users provide an identity that is associated with a set of permissions (policies) to your AWS services. However, unlike users roles do not comprise of either a password or access key. The key benefits with roles is that it provides greater security over using and storing your access/secret keys on the instance (in the case of EC2).  


A policy is a document that explicitly lists permissions[2]. Within a policy what can be performed and to which resources is defined within the Action, Resources and Effect statements.
Below is an example,

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [





Tags: AWS, Cloud, IAM, PCI

About the Author


R Donato

Rick Donato is the Founder and Chief Editor of He currently works as an SDN/NFV Solutions Architect and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001