AWS Security & Identity
IAM
Fine-grained access control to AWS services and resources using policies and roles
AWS Identity and Access Management (IAM) is the foundational access control service that lets you define who can do what across every AWS resource. It uses policies, roles, and identity federation to enforce least-privilege access at fine-grained granularity. Every cloud engineer must deeply understand IAM because misconfigured permissions are the root cause of the majority of cloud security incidents.
IAM Core Concepts: Principals, Policies, and Trust
IAM models access through four building blocks: principals (who is making the request), policies (what actions are allowed or denied), resources (which AWS objects are targeted), and conditions (when the policy applies).
| Concept | What it is | Example |
|---|---|---|
| User | A long-term identity for a human or application | ci-deploy-user for a Jenkins pipeline |
| Group | Collection of users sharing the same policies | Developers group with read-only S3 |
| Role | Temporary identity assumed by principals or services | EC2 instance role, Lambda execution role |
| Policy | JSON document defining Allow/Deny actions on resources | AmazonS3ReadOnlyAccess managed policy |
| Trust Policy | Defines who is allowed to assume a role | Allow EC2 service to assume a role |
Prefer roles over long-term access keys whenever possible. Roles issue temporary credentials via STS and rotate automatically, reducing the blast radius of a credential leak.
Policy Types and Evaluation Logic
IAM evaluates multiple policy types in a specific order. An explicit Deny always wins. A request is allowed only if at least one policy explicitly allows it and no policy explicitly denies it.
| Policy Type | Where attached | Use case |
|---|---|---|
| Identity-based | Users, Groups, Roles | Grant permissions to an IAM identity |
| Resource-based | AWS resource (S3 bucket, KMS key) | Cross-account access, grant access to a specific role |
| SCP (Service Control Policy) | AWS Organizations OU or account | Set maximum permissions guardrails org-wide |
| Permissions Boundary | IAM entity | Limit max permissions a developer can grant |
| Session Policy | Passed at role assumption time | Restrict permissions for a specific STS session |
| ACL | S3, VPC | Legacy, prefer resource-based policies |
The evaluation order is: explicit Deny > SCPs > resource-based policies > identity-based policies > permissions boundaries > session policies.
SCPs do not grant permissions - they only restrict. An SCP that allows S3:* does nothing unless the identity policy also grants S3 access. This confuses many engineers in multi-account setups.
IAM Roles and STS Credential Lifecycle
When a principal assumes a role, AWS Security Token Service (STS) issues temporary credentials with a configurable duration. This is the mechanism behind EC2 instance profiles, Lambda execution roles, cross-account access, and OIDC-based federation.
# Assume a role and get temporary credentials
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/MyRole \
--role-session-name my-session \
--duration-seconds 3600
# Check who you are currently authenticated as
aws sts get-caller-identity
# Use a named profile that assumes a role automatically
# ~/.aws/config
[profile dev-admin]
role_arn = arn:aws:iam::123456789012:role/AdminRole
source_profile = default
mfa_serial = arn:aws:iam::999999999999:mfa/my-userOIDC federation is the modern way to grant GitHub Actions, GitLab CI, or Kubernetes pods access to AWS without storing long-term keys. The CI provider issues a short-lived OIDC token that IAM validates against the provider's public keys.
Designing for Least Privilege
Least privilege means granting only the permissions needed to perform a specific task, nothing more. AWS provides several tools to help identify and trim over-permissive access.
| Tool | What it does |
|---|---|
| IAM Access Analyzer | Identifies resources shared externally, generates least-privilege policies from CloudTrail activity |
| IAM Access Advisor | Shows last-accessed timestamps per service for a user or role |
| Credential Report | CSV of all users, their key ages, MFA status, last login |
| Policy Simulator | Test whether a policy allows or denies specific API calls before applying |
| AWS Config managed rules | Continuously checks for IAM misconfigurations like unused credentials |
# Generate a least-privilege policy from 90 days of CloudTrail activity
aws iam generate-service-last-accessed-details \
--arn arn:aws:iam::123456789012:role/MyRole
# List actions never used in the last 90 days
aws iam get-service-last-accessed-details \
--job-id <job-id>Wildcard actions like s3:* or iam:* in production policies are a red flag. Scope permissions to the minimum required actions and to specific resource ARNs wherever possible.
Common IAM Patterns in Real Architectures
Real-world IAM usage follows a set of well-established patterns that appear repeatedly in cloud architecture interviews.
| Pattern | How it works | When to use |
|---|---|---|
| Instance Profile | Attach a role to EC2 at launch; app calls AWS SDK without any keys | Any EC2 workload needing AWS API access |
| Cross-account role | Role in account B trusts a principal in account A; account A assumes it | Multi-account architectures, CI/CD pipelines |
| OIDC federation | IAM trusts an OIDC provider (GitHub, Kubernetes); short-lived token exchanged for credentials | GitHub Actions, EKS pod identity, GitLab CI |
| Permission Boundary | Boundary policy caps max permissions a developer can self-assign | Delegating IAM management safely |
| Service-linked role | AWS auto-creates and manages the role for a service (e.g., ECS, RDS) | Managed services that need AWS API access |
Interview Focus Points
- 1What is the difference between an IAM role and an IAM user? When would you use each?
- 2Walk me through the IAM policy evaluation order. What happens when an SCP denies something that an identity policy allows?
- 3How does OIDC federation work for GitHub Actions? What problem does it solve over using access keys?
- 4What is a permissions boundary and when would you use one?
- 5How would you audit an AWS account to find over-permissive IAM roles?
- 6A Lambda function needs read access to an S3 bucket in a different account. Walk me through the exact IAM configuration required.
- 7What is the difference between a resource-based policy and an identity-based policy? Give an example of each.
- 8How do you enforce MFA for specific sensitive actions in IAM without forcing MFA on every single API call?
- 9What does IAM Access Analyzer do and how is it different from a manual policy review?
- 10What is the difference between an SCP denying an action and an explicit Deny in an identity policy?