AWS IAM Notes – AWS Solutions Architect

This is some rough notes on IAM in AWS, covering IAM Roles, IAM Users and IAM Policies. The notes are aims at studying for the AWS Solutions Architect Certification and should cover the main points required for that exam.

AWS IAM can be summed up by saying that it authenticates and authorities you to and in AWS.

Root user is first user and has all permissions to everything on the account. It can’t be removed.

It it this root user that is responsible for the initial IAM set up.

It is possible to customize the IAM login URL

ARN – Amazon Resource Name – Is globally unique

Roles – described by a JSON doc describing when and what permissions are granted to the role and under what specific circumstances.

IAM Credentials


Access keys – normally used through an  API or the CLI

Short term credentials

By default an IAM identity has no permissions at all. This is called an Implicit Deny.

You must explicitly grant the permissions that you want.

IAM Policies

Can be resource or identity policies

They are set out in a JSON Doc.

The doc consists of an combination of action and resource

Actions can be specific or can include wild cards

Actions can Allow or Deny

There are AWS managed policies and customer managed policies

An explicit Deny overrides everything else

Policies can apply to Users, groups and roles.

IAM Users

Users generally have a 1:1 mapping to a real person or an app

Only users can login.

Principal -> Authentication -> Authenticated IAM User

Max 5000 users per account

10 group memberships per user

Default max of 10 managed policies per user.

2048 character limit for the total characters across all inline policies associated with that IM user.

2 access keys per user

1 MFA per user

IAM Groups

IAM Groups allow you to group IAM users together.

There is a many to many relationship between IAM Users and IAM Groups.

Policies can be attached to a group and those flow down to the users.

Groups are not real identities  and as such they cannot be referenced from resource policies.

Groups have no credentials and cannot login.

Groups don’t really get policies. They flow down and are attached to the users.

IAM Access Keys

Access Key ID – Like Username

Secret Access Key – Like password – only available once and not stored by AWS.

Maximum of 2 access keys at one time regardless of their status.

You can make them inactive

Can also delete them

They do not expire.

Leave a Comment