⏱ Duration: 5 Hours
📚 Learning Objectives
- Understand IAM and its importance
- Create and manage IAM users and groups
- Understand and create IAM policies
- Work with IAM roles
- Implement IAM security best practices
📖 Core Concepts (2 Hours)
What is IAM?
AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources securely. It's a global service (not region-specific).
- Users: Individual identities with credentials
- Groups: Collections of users with shared permissions
- Roles: Temporary credentials for AWS services/users
- Policies: JSON documents defining permissions
IAM Components
IAM Hierarchy:
AWS Account (Root User)
│
├── IAM Users
│ ├── Console password
│ ├── Access keys (CLI/API)
│ └── MFA device
│
├── IAM Groups
│ ├── Developers
│ ├── Admins
│ └── DevOps
│
├── IAM Roles
│ ├── EC2 instance role
│ ├── Lambda execution role
│ └── Cross-account role
│
└── IAM Policies
├── AWS Managed
├── Customer Managed
└── Inline Policies
IAM Policy Structure
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeStatement",
"Effect": "Allow", // Allow or Deny
"Action": [ // What actions
"ec2:Describe*",
"s3:GetObject"
],
"Resource": [ // On what resources
"arn:aws:s3:::my-bucket/*",
"*"
],
"Condition": { // When (optional)
"IpAddress": {
"aws:SourceIp": "10.0.0.0/8"
}
}
}
]
}
Policy Evaluation Logic:
1. Explicit Deny → DENY
2. Explicit Allow → ALLOW
3. No statement → DENY (default)
Common AWS Managed Policies
Commonly Used Managed Policies:
Full Access:
├── AdministratorAccess # Full AWS access
├── PowerUserAccess # Full except IAM/Organizations
└── ViewOnlyAccess # Read-only across services
Service-Specific:
├── AmazonEC2FullAccess
├── AmazonEC2ReadOnlyAccess
├── AmazonS3FullAccess
├── AmazonS3ReadOnlyAccess
├── AmazonVPCFullAccess
└── IAMFullAccess
Job Functions:
├── SystemAdministrator
├── DatabaseAdministrator
├── NetworkAdministrator
└── SecurityAudit
IAM Roles vs Users
IAM Users:
✓ Long-term credentials
✓ For humans or applications
✓ Access keys + passwords
✓ Direct permissions
IAM Roles:
✓ Temporary credentials
✓ No passwords, auto-rotated
✓ Assumed by services/users
✓ Best for EC2, Lambda, cross-account
Use Roles When:
• EC2 needs to access S3
• Lambda needs to access DynamoDB
• Giving access to another AWS account
• Federated user access (SSO)
🔬 Hands-on Lab (2.5 Hours)
Lab 1: Create IAM User
- Create an IAM user with console access
- Generate access keys for CLI
- Attach managed policy
# Create IAM user
aws iam create-user --user-name devops-user
# Create login profile (console access)
aws iam create-login-profile \
--user-name devops-user \
--password "TempPass123!" \
--password-reset-required
# Create access keys (CLI access)
aws iam create-access-key --user-name devops-user
# Save the output! Access key shown only once:
# {
# "AccessKey": {
# "UserName": "devops-user",
# "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
# "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
# "Status": "Active"
# }
# }
# Attach managed policy
aws iam attach-user-policy \
--user-name devops-user \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
# List attached policies
aws iam list-attached-user-policies --user-name devops-user
Lab 2: Create IAM Group
- Create a group for DevOps team
- Attach policies to group
- Add user to group
# Create group
aws iam create-group --group-name DevOpsTeam
# Attach policies to group
aws iam attach-group-policy \
--group-name DevOpsTeam \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam attach-group-policy \
--group-name DevOpsTeam \
--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
# Add user to group
aws iam add-user-to-group \
--user-name devops-user \
--group-name DevOpsTeam
# List group members
aws iam get-group --group-name DevOpsTeam
# List groups for user
aws iam list-groups-for-user --user-name devops-user
Lab 3: Create Custom Policy
- Create a custom policy JSON
- Create and attach the policy
# Create custom policy document
cat > custom-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowEC2Describe",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:List*"
],
"Resource": "*"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::devops-*",
"arn:aws:s3:::devops-*/*"
]
},
{
"Sid": "DenyDeleteActions",
"Effect": "Deny",
"Action": [
"ec2:TerminateInstances",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
EOF
# Create the policy
POLICY_ARN=$(aws iam create-policy \
--policy-name DevOpsCustomPolicy \
--policy-document file://custom-policy.json \
--query 'Policy.Arn' --output text)
echo "Policy ARN: $POLICY_ARN"
# Attach to user
aws iam attach-user-policy \
--user-name devops-user \
--policy-arn $POLICY_ARN
Lab 4: Create IAM Role for EC2
- Create trust policy for EC2
- Create role and attach policy
- Create instance profile
# Create trust policy (who can assume the role)
cat > trust-policy.json <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
# Create the role
aws iam create-role \
--role-name EC2-S3-Access-Role \
--assume-role-policy-document file://trust-policy.json
# Attach S3 read-only policy
aws iam attach-role-policy \
--role-name EC2-S3-Access-Role \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
# Create instance profile (required for EC2)
aws iam create-instance-profile \
--instance-profile-name EC2-S3-Access-Profile
# Add role to instance profile
aws iam add-role-to-instance-profile \
--instance-profile-name EC2-S3-Access-Profile \
--role-name EC2-S3-Access-Role
# Now you can launch EC2 with this profile
# aws ec2 run-instances ... --iam-instance-profile Name=EC2-S3-Access-Profile
Lab 5: IAM Best Practices & Cleanup
# IAM Security Best Practices:
# 1. Enable MFA on root account
# 2. Create individual IAM users (no shared accounts)
# 3. Use groups to assign permissions
# 4. Grant least privilege
# 5. Use roles for applications
# 6. Rotate credentials regularly
# 7. Remove unused credentials
# 8. Use policy conditions for extra security
# 9. Monitor activity with CloudTrail
# Check for unused credentials
aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 -d
# Cleanup
# Detach policies from user
aws iam detach-user-policy \
--user-name devops-user \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
aws iam detach-user-policy \
--user-name devops-user \
--policy-arn $POLICY_ARN
# Remove user from group
aws iam remove-user-from-group \
--user-name devops-user \
--group-name DevOpsTeam
# Delete access keys
ACCESS_KEY_ID=$(aws iam list-access-keys --user-name devops-user \
--query 'AccessKeyMetadata[0].AccessKeyId' --output text)
aws iam delete-access-key --user-name devops-user --access-key-id $ACCESS_KEY_ID
# Delete login profile
aws iam delete-login-profile --user-name devops-user
# Delete user
aws iam delete-user --user-name devops-user
# Detach policies from group and delete
aws iam detach-group-policy --group-name DevOpsTeam \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess
aws iam detach-group-policy --group-name DevOpsTeam \
--policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess
aws iam delete-group --group-name DevOpsTeam
# Delete custom policy
aws iam delete-policy --policy-arn $POLICY_ARN
# Delete role and instance profile
aws iam remove-role-from-instance-profile \
--instance-profile-name EC2-S3-Access-Profile \
--role-name EC2-S3-Access-Role
aws iam delete-instance-profile --instance-profile-name EC2-S3-Access-Profile
aws iam detach-role-policy --role-name EC2-S3-Access-Role \
--policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
aws iam delete-role --role-name EC2-S3-Access-Role
# Cleanup local files
rm -f custom-policy.json trust-policy.json
✅ Day 4 Checklist
- Understand IAM users, groups, roles, and policies
- Can create and manage IAM users
- Can create groups and assign users
- Can write custom IAM policies
- Can create roles for EC2 instances
- Understand IAM security best practices