Copy of AWS Identity & Access Management (IAM) Fundamentals
What is AWS IAM?
AWS Identity & Access Management (IAM) is the foundation of secure access control in AWS. It manages who can access AWS resources, what they can do, and how access is granted.
Key IAM Features
User authentication & authorization
Granular access controls with policies
Role-based access management (RBAC)
Temporary security credentials for workloads
Integration with Identity Providers (Okta, Azure AD, etc.)
How SecureCart Uses IAM
SecureCart uses IAM to control access to AWS services and resources while following security best practices to protect customer data, prevent unauthorized changes, and enable seamless operations.
Examples
Developers need to manage deployments but should NOT have full admin access.
SecureCart’s EC2 instances need to retrieve product images from S3 without storing credentials.
A Lambda Function Needs to Process Payments Using AWS Secrets Manager
SecureCart’s CI/CD Pipeline in the
DevOpsAccount Needs to Deploy toProductionSecureCart’s security engineers should be able to audit AWS resources but NOT make changes.
Scenario
IAM Solution
Developer Access to AWS Accounts
IAM Identity Center (SSO) with Permission Sets
EC2 Access to S3 for Product Images
IAM Role assigned to EC2 instance
Lambda Access to Secrets Manager for Payments
IAM Role with Secrets Manager read access
CI/CD Deployment Across Accounts
Cross-account IAM Role assumption
Security Team Read-Only Audits
IAM Identity Center Group with SecurityAudit policy
IAM Users
IAM Users represent individuals who need access to AWS.
Each IAM User has unique credentials (password, access keys, MFA) and can have assigned permissions.
How SecureCart Uses IAM Users
Only used for break-glass access (not for daily work).
SecureCart relies on IAM Identity Center (SSO) instead of IAM Users for authentication.
MFA is required for any IAM User with AWS Management Console access.
IAM Groups
IAM Groups combine multiple IAM Users and assign permissions to them collectively.
Instead of assigning policies one by one, a group policy applies to all users inside the group.
How SecureCart Uses IAM Groups
SecureCart avoids IAM Groups in favor of IAM Identity Center (SSO).
If IAM Groups were needed, SecureCart would create
Billing-ReadOnly(Finance Team)Security-Audit(Security Team)DevOps-Admin(Operations Team)
IAM Policies
IAM Policies define permissions for users, groups, or roles.
They specify who can do what on which resources.
Types of IAM Policies
AWS-Managed Policies → Predefined by AWS (e.g.,
AdministratorAccess,ReadOnlyAccess).Customer-Managed Policies → Custom policies SecureCart creates for fine-grained control.
Inline Policies → Directly attached to users, groups, or roles (not reusable).
How SecureCart Uses IAM Policies
Least privilege (Only allow necessary actions).
Deny dangerous actions like deleting databases.
Use AWS-Managed Policies for standard use cases.
IAM Roles
IAM Roles provide temporary permissions to users, AWS services, or applications.
Unlike IAM Users, IAM Roles do not have permanent credentials.
IAM Role Use Cases
Applications running on EC2, Lambda, or ECS that need access to AWS services.
Cross-account access between different AWS accounts.
Temporary security credentials for users via AWS STS.
How SecureCart Uses IAM Roles
SecureCart EC2 instances assume IAM Roles to access S3 securely.
Developers assume IAM Roles instead of using IAM Users.
Cross-account roles allow CI/CD to deploy across multiple AWS accounts
IAM Identity Center (SSO)
IAM Identity Center (formerly AWS SSO) provides centralized authentication for multiple AWS accounts.
It eliminates the need for IAM Users by integrating with identity providers like Okta, Azure AD, or Google Workspace.
How SecureCart Uses IAM Identity Center
Developers log in once and access multiple AWS accounts.
IAM Identity Center groups replace IAM Groups.
Enforces MFA and session timeouts for security.
Example of IAM Identity Center Group Setup
IAM Identity Center Group
AWS Permissions Assigned
SecureCart-Developers
AWSCodeDeployFullAccess
SecureCart-Security
SecurityAudit
SecureCart-Finance
Billing
AWS Security Best Practices for IAM
SecureCart's IAM Security Checklist
Use IAM Identity Center (SSO) instead of IAM Users
Require MFA for all human access
Use IAM Roles instead of long-term IAM credentials
Follow the principle of least privilege in IAM Policies
Enable IAM Access Analyzer to detect misconfigurations
Use AWS CloudTrail to log IAM activity
Scenario:
SecureCart’s security team is tasked with setting up secure IAM access for engineers, ensuring that only authorized users and services have access to AWS resources.
Key Learning Objectives
Understand IAM Users, Groups, and Roles
Enforce MFA on IAM users and the root user
Learn about the AWS Shared Responsibility Model
Apply AWS security best practices for access control
Introduction
SecureCart Organizational Structure & AWS Access Roles
AWS Access Requirements by Role
Role
Access Level
AWS Services Required
CTO
Read-only
AWS Billing, Cost Explorer, Budgets
Finance Team
Billing & Cost Access
AWS Billing, AWS Cost Explorer
DevOps Team
Full Admin (Non-Prod), Restricted Admin (Prod)
IAM, EC2, VPC, RDS, CloudFormation, Route 53
Software Developers
Limited (Deploy Only)
ECS, Lambda, API Gateway, DynamoDB, CloudWatch
Data Engineers
Full Access to Data Services
Redshift, S3, Glue, DynamoDB, Athena
Security Team
Full Security Admin
IAM, GuardDuty, Security Hub, CloudTrail
Customer Support
Read-Only
DynamoDB (customer and order data)
Product Management
Read-Only
CloudWatch, DynamoDB
SecureCart - Single AWS Account Setup (IAM-Based)
This setup is used when SecureCart operates within a single AWS account, managing access through IAM roles and IAM policies.
Step 1: Create IAM Roles for Each Business Unit
Why? IAM Roles provide temporary credentials instead of static IAM users, improving security.
Create IAM Roles & Attach Policies
Use the AWS Console or CLI to create IAM Roles for each team.
Example CLI Command to Create an IAM Role for Developers
Trust Policy (developer-trust-policy.json)
📌 Attach a Policy (Limited Access to Deployment Services)
🔹 Step 2: Assign IAM Roles to Users
1️⃣ Go to AWS IAM Console 2️⃣ Select "Users" → Choose User → Assign Role 3️⃣ Choose the appropriate role (e.g., SecureCartDeveloperRole) 4️⃣ Save changes
🔹 Now, Developers must "AssumeRole" to gain AWS permissions.
📌 Example: Assume Role via AWS CLI
🔹 Step 3: Enforce MFA for AWS Console Access
📌 Why? Improves security by preventing unauthorized access.
1️⃣ Go to AWS IAM Console → Users → Security Credentials 2️⃣ Enable MFA for each user 3️⃣ Require MFA in IAM Policies
📌 Example IAM Policy to Enforce MFA
SecureCart Multi-Account IAM Identity Center Setup
🔹 Overview
SecureCart needs a centralized access management solution to allow different teams to securely access multiple AWS accounts with appropriate permissions.
✅ Key IAM Identity Center Components
Users & Groups → Define who has access
Permission Sets → Define what permissions are granted
Account Assignments → Assign permission sets to groups/users at the AWS account level
🔹 Step 1: Enable AWS IAM Identity Center (SSO)
📌 Why? Provides SSO-based access across multiple AWS accounts, eliminating the need for IAM users.
Implementation Steps:
1️⃣ Go to AWS Organizations Console → Enable IAM Identity Center 2️⃣ Choose an Identity Source:
Built-in AWS Identity Center Directory (Default)
External Identity Provider (Azure AD, Okta, Google Workspace) 3️⃣ Configure IAM Identity Center login portal
AWS generates a unique SSO login URL for SecureCart employees
📌 Example CLI Command to Enable IAM Identity Center
🔹 Step 2: Create IAM Identity Center Groups
📌 Why? IAM Identity Center Groups simplify permission management by allowing multiple users to inherit permissions instead of assigning them individually.
✅ Create Groups for Each SecureCart Business Unit
1️⃣ Go to IAM Identity Center Console → Groups → Create Group 2️⃣ Create the following Groups:
SecureCart-DevOpsSecureCart-DevelopersSecureCart-SecuritySecureCart-FinanceSecureCart-Support3️⃣ Add Users to the Groups
📌 Example CLI Command to Create a Group
🔹 Step 3: Create Permission Sets
📌 Why? Permission Sets define the AWS permissions for each team. These are assigned at the AWS account level.
✅ Define Permission Sets
1️⃣ Go to IAM Identity Center Console → Permission Sets → Create New Set 2️⃣ Choose AWS-Managed Policies or Custom Policies 3️⃣ Assign Session Duration (default: 1 hour, max: 12 hours) 4️⃣ Repeat this for each business unit
📌 Example Permission Sets for SecureCart Teams
Group
Permission Set
Attached IAM Policies
SecureCart-DevOps
SecureCart-DevOps-PermissionSet
AdministratorAccess
SecureCart-Developers
SecureCart-Developer-PermissionSet
AWSCodeDeployFullAccess, CloudWatchReadOnlyAccess
SecureCart-Security
SecureCart-Security-PermissionSet
SecurityAudit, IAMReadOnlyAccess
SecureCart-Finance
SecureCart-Finance-PermissionSet
Billing
SecureCart-Support
SecureCart-Support-PermissionSet
ReadOnlyAccess
📌 Example CLI Command to Create a Permission Set
🔹 Step 4: Assign Groups to AWS Accounts
📌 Why? Permission Sets are assigned at the AWS account level, ensuring users can only access the accounts they need.
✅ Assign Groups to AWS Accounts
1️⃣ Go to IAM Identity Center Console → AWS Accounts
2️⃣ Select the AWS account (e.g., SecureCart-Production, SecureCart-Dev)
3️⃣ Click Assign Users & Groups
4️⃣ Select the SecureCart Group (e.g., SecureCart-Developers)
5️⃣ Assign the corresponding Permission Set
6️⃣ Click Save
📌 Example CLI Command to Assign a Group to an AWS Account
🔹 Step 5: User Login & Access via AWS SSO
📌 Why? Instead of manually switching IAM roles, users log in via AWS SSO and are automatically assigned role-based access.
✅ How Users Access AWS
1️⃣ Users go to the AWS IAM Identity Center Portal (SSO URL) 2️⃣ Login using corporate credentials 3️⃣ Select the AWS Account & Role they have access to 4️⃣ They are granted console or CLI access automatically
📌 Example: AWS SSO Login for Developers
Summary: Single vs. Multi-Account Implementation
Feature
Single Account (IAM-Based)
Multi-Account (IAM Identity Center-Based)
User Authentication
IAM Users
AWS IAM Identity Center (SSO)
Access Control
IAM Roles
IAM Identity Center Groups & Permission Sets
Role Switching?
Users must assume roles manually
Seamless via AWS SSO
Permissions Model
IAM Policies per Role
Permission Sets per Account
Best for
Standalone AWS Accounts
Multi-Account AWS Organizations
For multi-account AWS Organizations setups, SecureCart centralizes access control using AWS IAM Identity Center (SSO).
Step 1: Enable AWS IAM Identity Center (SSO)
Why? Provides centralized identity management across multiple AWS accounts.
Go to AWS Organizations Console → Enable IAM Identity Center Choose an Identity Source:
Built-in AWS Identity Center Directory
External IdP (Okta, Azure AD, Google Workspace)
📌 Example CLI Command to Enable IAM Identity Center
Step 2: Create IAM Identity Center Groups
📌 Why? Groups simplify permission assignments for multiple users.
✅ Create Groups for Each Business Unit
1️⃣ Go to IAM Identity Center Console → Groups → Create Group 2️⃣ Example Groups:
SecureCart-DevOpsSecureCart-DevelopersSecureCart-SecuritySecureCart-FinanceSecureCart-Support3️⃣ Add Users to Respective Groups
Step 3: Assign Permission Sets to IAM Identity Center Groups
📌 Why? Permission Sets are predefined IAM roles assigned to Identity Center users.
Create Permission Sets
1️⃣ Go to AWS IAM Identity Center Console → Permission Sets → Create New Set 2️⃣ Select AWS-Managed Policies or Custom Policies
SecureCart-DevOps→ AdministratorAccessSecureCart-Developers→ AWSCodeDeployFullAccessSecureCart-Security→ SecurityAuditSecureCart-Finance→ BillingSecureCart-Support→ ReadOnlyAccess 3️⃣ Assign Permission Sets to Groups
Example CLI Command to Assign a Permission Set
Step 4: Assign Groups to AWS Accounts
📌 Why? This allows IAM Identity Center users to assume roles only in permitted accounts.
1️⃣ Go to IAM Identity Center Console → AWS Accounts → Assign Users & Groups
2️⃣ Choose the SecureCart Group (e.g., SecureCart-Developers)
3️⃣ Assign the corresponding permission set
4️⃣ Click Save
🔹 Now, users log in via AWS IAM Identity Center (SSO) and get role-based access.
📌 Example: IAM Identity Center Console Access
Users log in via AWS SSO URL.
Choose the assigned AWS account & IAM Role.
No need for manual IAM Role switching.
🎯 Summary: Single vs. Multi-Account Setup
Feature
Single Account (IAM-Based)
Multi-Account (Identity Center-Based)
User Authentication
IAM Users
AWS IAM Identity Center (SSO)
Access Control
IAM Roles
IAM Identity Center Groups & Permission Sets
Best for
Standalone AWS Accounts
Multi-Account AWS Organizations
IAM Groups Needed?
Maybe (for legacy users)
❌ No (Use Identity Center Groups)
Role Switching?
Users must assume roles manually
Seamless via AWS SSO
IAM Policies & Permissions Model
SecureCart follows the principle of least privilege, meaning each team gets only the permissions necessary to perform their job.
✅ Implementation Steps:
1️⃣ Enable AWS IAM Identity Center (SSO)
Integrate Azure AD, Okta, or Google Workspace for authentication.
Define SSO permission sets for different roles.
2️⃣ Create IAM Roles for Each Team
DevOpsRole (Admin in non-prod, restricted in prod).
DeveloperRole (Deploy access, no security permissions).
SecurityRole (IAM & Security services access only).
SupportRole (Read-only to customer order database).
FinanceRole (Billing access only).
3️⃣ Apply IAM Policies with Least Privilege
Restrict DevOps team to modify infrastructure but not IAM.
Ensure Developers can deploy but not access customer data.
Allow Finance to view AWS bills without modifying resources.
Block Support from accessing anything except order-related DynamoDB tables.
4️⃣ Use AWS Organizations & SCPs for Governance
Deny actions like
iam:CreateUser,s3:PutBucketPublicAccessBlockacross all accounts.Enforce security best practices at the organization level.
5️⃣ Enable AWS IAM Access Analyzer
Continuously scan for overly permissive IAM policies.
Detect unintended public access to AWS resources.
AWS Identity & Access Best Practices for SecureCart
✅ Use IAM Roles for Applications & Services – No hardcoded credentials. ✅ Enable Multi-Factor Authentication (MFA) – Required for all human users. ✅ Monitor IAM Usage with AWS CloudTrail – Track API calls for security audits. ✅ Implement Temporary Credentials with AWS STS – Use AssumeRole instead of long-term IAM users. ✅ Use Resource-Based Policies for Specific Permissions – Example: Secure S3 access with bucket policies.
Hands-on Labs:
1️⃣ Enable MFA for Root & IAM Users 2️⃣ Create IAM Groups & Assign Least Privilege Access 3️⃣ Implement IAM Policies to Restrict Overly Permissive Access
🔹 Outcome: SecureCart implements strong IAM security controls, ensuring that only authorized users have access.
Last updated