3.12 Introduction IAM AWS

In this section we will explore IAM, which stands for Identity and Access Management. It is the AWS service used to manage all security-related concerns: users, roles, groups, and the root account. The root account must never be used by anyone after the first installation and should never be shared. It is reserved for the initial setup, where the first IAM users are created. From that point on, all security aspects must be handled through IAM.

IAM building blocks

  • Users: typically physical persons connecting to AWS.
  • Groups: containers that gather users by function, role, or team.
  • Roles: define internal usage of AWS resources by services or applications.
  • Policies: written in JSON, they define what each user, group, or role is allowed or denied to do.

IAM is a global service: any decision or configuration made in IAM applies across all AWS services and regions. Permissions are managed through policies attached to users, groups, or roles. You can also enforce strong authentication mechanisms such as MFA (multi-factor authentication) to reinforce account security. Later we will see how to write policies in JSON format.

In larger organizations, companies often maintain their own user directory. Through identity federation using the SAML standard (widely used with Active Directory or LDAP), users can sign in to AWS with their corporate credentials, avoiding the need to manage a separate user base inside AWS.

Finally, here are the IAM best practices for account governance: one IAM user per physical person, one IAM role per application, never share IAM credentials, never hardcode credentials in your code, and never use the root account after initial setup. The recommended approach is to create administrator accounts and lock the root account afterward. In the next module, we will see how to create users, roles, and groups in IAM.

Summary

This lesson introduces AWS IAM (Identity and Access Management), the core service for managing access rights and security across AWS infrastructure. It covers the fundamental components—users, groups, and roles—and explains how IAM policies enforce security at a global scope across all AWS services. Key best practices include using one IAM account per person, never sharing credentials, and implementing multi-factor authentication.

Key points

  • IAM manages identity and access control for all AWS security aspects—users, groups, roles, and permissions
  • Root account should never be used; create dedicated IAM users and groups organized by function, team, or business unit
  • IAM is a global service—all configurations apply across all AWS regions and services automatically
  • Security policies are written in JSON format and can be attached to users, groups, or roles to define allowed and denied actions
  • Authentication can include multi-factor authentication (MFA) and federation standards like SAML for enterprise integration
  • Best practices: one IAM account per person, one role per job function, never share credentials, never hardcode credentials in code

FAQ

What is the difference between users, groups, and roles in AWS IAM?

Users represent individual people or applications needing AWS access. Groups organize users by function, team, or department for easier permission management. Roles are for temporary access or services—they define what actions are permitted on AWS resources. Each person should have one IAM account, one assigned role, and belong to appropriate groups.

Why should I never use the root account after initial AWS setup?

The root account has unrestricted access to all AWS resources and cannot be restricted by policies. Best practice is to use it only for initial setup (creating first users and groups), then secure it and always use dedicated IAM accounts with the minimum necessary permissions.

How does IAM manage security across multiple AWS services?

IAM is a global service—policies and configurations created in IAM apply across all AWS services and all regions. This ensures consistent security enforcement and centralized identity management across your entire AWS infrastructure.