AWS IAM Identity Access Management
IAM Deep Dive
Granular access control across all AWS services.
IAM Architecture
Principal Types: Users - Individual humans/service accounts Groups - User collections Roles - Temporary credentials (services/users) Federated Users - SSO/SAML integration Policy Evaluation Logic: Explicit Deny > Allow > Default Deny Policy Types: Identity (IAM) vs Resource (S3/EC2) Managed vs Inline Permissions Boundaries Service Control Policies (AWS Orgs)
Best Practices
- Enable MFA everywhere
- Least privilege (start broad, tighten)
- Separate admin/operational accounts
- Password policy enforcement
- IAM Access Analyzer (unused permissions)