Control Access with AWS Identity and Access Management

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain the features of AWS Identity and Access Management (IAM).
  • Follow IAM best practices when structuring resource access.

AWS Identity and Access Management icon depicting a lock and rectangular card against a red background

AWS Identity and Access Management (IAM) enables you to manage access to AWS services and resources. With IAM, you can create and manage AWS users, groups, and roles. Then, you can use permissions to allow and deny their access to AWS resources.

In this unit, you learn about the different components of IAM and how you can effectively manage permissions.

Establish Your Root User Credentials

Permissions icon depicting a closed lock

When you first create an AWS account, a root user identity is created. To access the AWS account root user, you sign in with your email address and password that you provided when creating the account.

When you log in to AWS with your root user credentials, you have:

  • Unrestricted access to all the resources in your AWS account
  • Access to your billing information
  • The ability to change your password

As a best practice, instead of using the root user, you should create IAM users and assign them the necessary permissions to handle day-to-day activities.

IAM Users

Icon depicting a single user

An IAM user is a person or an application that interacts with AWS. Instead of sharing your root user credentials with others, you can create individual IAM users. Users are not separate accounts. Instead, they’re separate users within your account. Each user can have their own password for access to the AWS Management Console with different levels of access.


Icon depicting three users–two in the background and one in the foreground

An IAM group is a collection of IAM users. As a best practice, you should use groups for assigning permissions. This can make it easier to manage and scale access.

Imagine you have multiple users who are database administrators. You could create a group called “Database Admins” and give that group the types of permissions that database administrators typically need. Any user in the Database Admins group will automatically have these permissions you set up.

If a new user joins your organization and requires database administrator permissions, you simply add them to the group. If a person changes jobs in your organization, instead of editing that user’s permissions, you can remove them from the old group and add them into the new group so they have the right level of access.

IAM Roles

Role icon depicting a construction hard hat

An IAM role is an identity that you can create in your account to have specific permissions.

Like an IAM user, an IAM role can have permissions set in order to grant or restrict access to AWS services. Unlike an IAM user, IAM roles are not associated with a unique person. Instead, they’re intended to be shared and assumed when needed.

For example, if Amazon Elastic Compute Cloud (EC2) needs to make changes to an Amazon Simple Storage Service (S3) bucket, it could assume an IAM role with the right permissions, make the updates, and then release the role and no longer have the privileges to Amazon S3 that it doesn't need.

IAM users can also assume IAM roles when needed. As a best practice, when you no longer need to use an IAM role, you should exit from the role in the IAM console to give up the permissions. This helps to prevent you from accidentally accessing or modifying sensitive resources.

IAM Access Advisor

Icon depicting a checklist, with three rows consisting of a square checkbox and a horizontal line

As you create new roles within AWS, a best practice is to periodically review their usage and to ensure you’re only keeping active, necessary roles. The IAM Access Advisor makes this quick and easy. It gives you a report of the service permissions that have been granted to a role, along with details about when those services were last accessed.

With Access Advisor, you can easily determine which roles might no longer be needed and more securely restrict access to your AWS environments.

Access Policies

Policy icon depicting a rectangular sheet of paper, with a vertical column that includes two check marks and one X

A policy is an object in AWS that, when associated with an identity or resource, defines its permissions. When a user or role makes a request in AWS, the permissions that are outlined in a policy determine whether the request will be allowed or denied.

Here are a few examples of IAM access policies.

  • Allows an Amazon EC2 instance to attach or detach volumes
  • Allows full Amazon Relational Database Service (RDS) access within a specific Region
  • Allows Read and Write access to a specific Amazon S3 bucket
  • Specifies the API operations that a user is allowed to call

Multi-factor Authentication

 Icon depicting a circle with MFA inside of it

Multi-factor authentication (MFA) adds an extra layer of protection to your AWS account. After MFA has been enabled, a user needs to provide their user name and password, followed by a security token from a device.

MFA is disabled by default. You can enable it for your account and also for any IAM users that you have created.

Enabling MFA is a best practice. If a user’s password or access keys are ever compromised, your account resources are still secure because of the additional authentication requirement.


With IAM, you have the flexibility to create users, roles, and groups in ways that best align with how your AWS environment should be used.

In the next unit, you review some of the security services that are available to you within AWS.