AWS Identity and Access Management (IAM) is the security foundation of AWS. It controls who (authentication) can do what (authorization) on which AWS resources.
In Azure terms: IAM = combination of Microsoft Entra ID (authentication) + Azure RBAC (authorization).
Concept Description IAM User A person or application with permanent credentials (username + password or access keys) IAM Group A collection of IAM users — assign policies to the group, not individual users IAM Role A set of permissions assumed temporarily — used by services, EC2, Lambda, cross-account IAM Policy A JSON document defining Allow or Deny permissions for actions on resources Access Key Programmatic credential (Key ID + Secret) for CLI/API access
Policies are JSON documents with a specific structure:
"Resource" : " arn:aws:s3:::my-bucket/* "
Field Options Meaning EffectAllow or DenyWhether to permit or block Actione.g., s3:GetObject, ec2:* API operations affected ResourceARN or * Which resources the policy applies to ConditionOptional Extra conditions (IP, MFA, time)
Type Description AWS Managed Pre-built by Amazon (e.g., AmazonS3ReadOnlyAccess) Customer Managed Custom policies you create and maintain Inline Policy Directly embedded in a user, group, or role (not reusable) Resource-based Attached to a resource (e.g., S3 bucket policy, Lambda function policy) Permission Boundary Maximum permissions an entity can have SCP (Service Control Policy) Organization-level guard-rails via AWS Organizations
Roles are the preferred way to grant permissions to AWS services:
EC2 Instance Role — Allows an EC2 instance to call S3, DynamoDB, etc. without storing credentialsLambda Execution Role — Grants Lambda permission to write CloudWatch logs, access DynamoDB, etc.Cross-Account Role — Allow users in Account A to assume a role in Account BFederated Identity — Allow users from an external identity provider (Okta, Active Directory) to assume roles
Never use the root account — Create IAM users immediately and lock the root accountEnable MFA — Require MFA for all human users, especially privileged onesUse roles, not access keys — Avoid long-lived credentials; use instance roles and OIDCPrinciple of least privilege — Grant only the permissions needed for the jobRotate credentials regularly — Rotate access keys and review unused permissionsUse IAM Access Analyzer — Detect over-permissive policies and external accessEnable CloudTrail — Log all API calls for audit and compliance
Policy Description AdministratorAccessFull access to all AWS services (use sparingly) PowerUserAccessFull access except IAM management ReadOnlyAccessRead-only access to all services AmazonS3FullAccessFull S3 access AmazonEC2ReadOnlyAccessRead-only EC2 access AWSLambdaBasicExecutionRoleWrite logs to CloudWatch (for Lambda)
Feature AWS IAM Azure RBAC Identity unit User / Group / Role User / Group / Service Principal / Managed Identity Permissions model Policies (JSON) Role Definitions (Actions/DataActions) Service identity IAM Role Managed Identity Root equivalent Root account Global Administrator Cross-account Cross-account Roles Azure Lighthouse / Guest access Audit log CloudTrail Azure Activity Log / Entra Audit Logs
aws iam create-user --user-name devuser
# Attach a managed policy to a user
aws iam attach-user-policy \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
# Create an IAM role for EC2
--role-name ec2-s3-role \
--assume-role-policy-document file://trust-policy.json
# Get the current caller identity
aws sts get-caller-identity