Security and billingSecurity and complianceIntermediate43 min read

What Is IAM? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

IAM stands for Identity and Access Management. It is a set of rules and tools that control who can log into a system and what they are allowed to do. Think of it like a security guard who checks your ID and then decides which rooms you can enter.

Common Commands & Configuration

aws iam create-user --user-name JohnDoe

Creates a new IAM user named JohnDoe in the AWS account. Use this as a starting point for granting programmatic or console access to individuals.

Tests understanding that IAM users are separate from root users and are created for daily administrative tasks. Often asked about user creation vs role creation.

aws iam attach-user-policy --user-name JohnDoe --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

Attaches the AWS-managed AmazonS3ReadOnlyAccess policy to the user JohnDoe, granting read-only access to all S3 buckets. Used to quickly assign common permissions.

Exams often contrast managed vs inline policies. This attaches a managed policy; be aware that inline policies must be created separately and embedded.

aws iam create-role --role-name EC2S3ReadRole --assume-role-policy-document file://trust-policy.json

Creates an IAM role that an EC2 instance can assume. The trust-policy.json file specifies 'ec2.amazonaws.com' as the trusted principal. This is the foundation for EC2 instance profiles.

Key concept: roles are assumed by services, not directly used by users. The assume-role-policy-document (trust policy) defines who can assume the role. Essential for SysOps and Developer exams.

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/CrossAccountAuditRole --role-session-name AuditSession

Assumes the specified role in another account, returning temporary security credentials (AccessKeyId, SecretAccessKey, SessionToken). Use this for cross-account access or to switch roles programmatically.

This is the programmatic way to perform sts:AssumeRole. Exams test the difference between this and using access keys directly. Temporary credentials expire, enhancing security.

aws iam update-password-policy --minimum-password-length 14 --require-symbols --require-numbers --require-uppercase-characters --require-lowercase-characters --max-password-age 90

Updates the account password policy to enforce a minimum length of 14 characters, require symbols, numbers, uppercase and lowercase, and expire passwords after 90 days. Applies to all IAM users with console passwords.

Common exam topic: password policy settings are account-level. Questions might ask which parameter enforces password expiration or complexity. Also tested in Security+ and CISSP.

aws iam list-policies --scope Local --only-attached

Lists all customer-managed policies that are currently attached to any IAM entity (users, groups, or roles). Useful for auditing unused policies or identifying overly permissive policies.

Exams test the difference between 'Local' (customer-managed) and 'AWS' (managed) policies. The 'only-attached' flag helps in cleanup scenarios, an exam favorite.

aws iam simulate-principal-policy --policy-source-arn arn:aws:iam::123456789012:user/JohnDoe --action-names s3:ListBucket --resource-arns arn:aws:s3:::example-bucket

Simulates the effective permissions for user JohnDoe for the s3:ListBucket action on a specific S3 bucket. This is the IAM policy simulator at the command line.

This is a direct test of understanding policy evaluation logic. Often used in exam questions to determine whether a policy allows or denies an action before implementation.

IAM appears directly in 2,050exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →

Must Know for Exams

IAM is a core objective in many of the exams listed. For AWS certifications (Cloud Practitioner, Developer Associate, Solutions Architect, SysOps Administrator), IAM is a fundamental service. Questions cover creating IAM users, groups, roles, and policies; understanding IAM policy structure; differentiating between root user and IAM users; understanding when to use roles for cross-account access or EC2 instances; and interpreting IAM policy examples. You must know how to attach policies, the difference between identity-based and resource-based policies, and how IAM integrates with other services like S3 bucket policies.

For Azure certifications (AZ-900, AZ-104, SC-900), IAM concepts appear under Azure Active Directory (Entra ID), role-based access control (RBAC), and managed identities. AZ-104 focuses on managing Azure AD users and groups, creating custom roles, and assigning permissions. SC-900 (Microsoft Security, Compliance, and Identity Fundamentals) has a heavy IAM focus, including identity concepts, authentication methods, access management, and identity protection.

For CompTIA Security+ and CySA+, IAM is a major domain. Security+ covers authentication methods, access control models (DAC, MAC, RBAC, ABAC), identity management concepts (provisioning, deprovisioning, federation), and protocols (SAML, OAuth, OpenID Connect, Kerberos). CySA+ goes deeper into IAM auditing, privilege management, and detecting identity-based attacks.

For ISC2 CISSP, IAM is one of the eight domains (Domain 5: Identity and Access Management). Questions cover the full identity lifecycle, access control models and mechanisms, authentication methods, federation, and identity as a service. This is a primary topic, and you need a deep understanding of both theory and implementation.

For Google Cloud certifications (ACE, Cloud Digital Leader), IAM concepts include Cloud IAM roles (primitive, predefined, custom), service accounts, and policies. Google-ACE expects you to know how to assign roles at different levels (organization, folder, project, resource) and understand the principle of least privilege.

For MD-102 and MS-102 (Microsoft Endpoint Administrator and Microsoft 365 Administrator), IAM is central to managing user identities, device identities, conditional access policies, and identity protection in Microsoft 365.

In all these exams, you can expect multiple-choice questions, scenario-based questions where you must choose the correct IAM configuration, and sometimes drag-and-drop or fill-in-the-blank questions. You will not be asked to write actual IAM policy JSON, but you must be able to read and interpret it.

Simple Meaning

Imagine you work in a large office building. At the front door, there is a security guard who checks your employee badge to make sure you are allowed to be there. This is the identity part of IAM – verifying who you are. Once you are inside, you might have a key card that opens only certain doors. You can enter your own office, the break room, and the meeting room, but you cannot enter the server room or the CEO's office. That is the access management part – controlling what you can do after you are identified.

Now imagine that when you join the company, you are given a badge that automatically works for the doors you need. When you change departments, your badge is updated so you can enter new areas and lose access to old ones. When you leave the company, your badge is deactivated so you can no longer enter the building at all. That is IAM in a nutshell – a system for creating, managing, and removing digital identities, and for granting the right permissions to each identity.

In the computer world, IAM works the same way. Your username and password are like your employee badge. They prove you are you. Then, once you are logged in, the system checks a list of permissions to decide what you can do. For example, you might be able to read files in a shared folder but not delete them. You might be able to launch a server but not shut it down. You might be able to view a report but not change the numbers.

IAM is not just one piece of software. It is a combination of policies, processes, and technologies. It includes things like multi-factor authentication (where you need a code from your phone in addition to your password), single sign-on (where you log in once and can access many systems), and role-based access control (where your job title determines your permissions). The goal is to keep data safe by making sure that only the right people can see or change it, and that people cannot do things they should not do.

IAM is everywhere. When you log into your email, that is IAM. When you use your fingerprint to unlock your phone, that is IAM. When a doctor accesses your medical records, that is IAM. It is the invisible security layer that protects your information and keeps systems running smoothly.

Full Technical Definition

Identity and Access Management (IAM) is a comprehensive framework of policies, processes, and technologies that enables organizations to manage digital identities and control access to resources. It encompasses the entire lifecycle of a digital identity, from creation and provisioning through maintenance and eventual deprovisioning. IAM is foundational to cybersecurity, as it directly addresses the principles of authentication (verifying identity), authorization (determining permissions), and accounting (tracking actions).

At its core, IAM relies on several key components. The identity repository stores user accounts and attributes, often using a directory service like LDAP (Lightweight Directory Access Protocol) or Microsoft Active Directory. The authentication service verifies credentials, which can be something you know (password), something you have (token), or something you are (biometric). Modern IAM systems support single sign-on (SSO), where one authentication event gives access to multiple applications, often using protocols like SAML (Security Assertion Markup Language), OAuth 2.0, or OpenID Connect.

Authorization defines what an authenticated user can do. Common models include Role-Based Access Control (RBAC), where permissions are assigned to roles and users are assigned to roles; Attribute-Based Access Control (ABAC), where access decisions are based on user attributes, resource attributes, and environmental conditions; and Policy-Based Access Control (PBAC), which uses centralized policies. The principle of least privilege is a core IAM concept: users should be granted only the minimum permissions necessary to perform their job functions.

IAM also includes provisioning and deprovisioning workflows. Provisioning is the process of creating accounts and granting initial access when a new employee joins. Deprovisioning is removing access when an employee leaves or changes roles. Automated provisioning, often through identity governance tools, helps ensure that access is granted and revoked quickly and consistently. Identity lifecycle management includes periodic access reviews to verify that permissions are still appropriate.

Federation is an advanced IAM concept that allows users from one organization to access resources in another organization without needing separate credentials. This relies on trust relationships and standards like SAML and OAuth. For example, a company might use federation so that employees can use their corporate credentials to log into a third-party SaaS application.

In cloud environments, IAM is often a built-in service. AWS IAM, for instance, allows administrators to create users, groups, and roles, and attach policies that define permissions. Azure Active Directory (now Microsoft Entra ID) provides identity services for Microsoft cloud and on-premises resources. Google Cloud IAM offers similar capabilities with roles and policies. These cloud IAM services are tightly integrated with the cloud platform's resources, enabling fine-grained access control.

Compliance and auditing are critical IAM functions. Organizations must track who accessed what, when, and from where. Audit logs provide evidence for compliance with regulations like GDPR, HIPAA, and SOX. IAM systems often include reporting and alerting capabilities to detect unauthorized access attempts or anomalous behavior.

Common IAM protocols and standards include: LDAP for directory access, SAML 2.0 for browser-based SSO, OAuth 2.0 for delegated authorization, OpenID Connect for authentication on top of OAuth 2.0, and SCIM (System for Cross-domain Identity Management) for automating user provisioning. Understanding these protocols is essential for IT professionals who implement and manage IAM solutions.

IAM is not a single product but a discipline. It requires careful planning to align with organizational structure, security policies, and compliance requirements. Proper IAM implementation reduces security risk, improves user productivity, and simplifies administration.

Real-Life Example

Think about a large hotel. The hotel has many different areas: the lobby, the guest rooms, the restaurant, the gym, the pool, the laundry room, the manager's office, and the maintenance area. Not everyone should be able to go everywhere. Guests can go to the lobby, their own room, the restaurant, the gym, and the pool. But they cannot go into the laundry room or the manager's office. Housekeeping staff can go into guest rooms (when they are not occupied) and the laundry room, but not the manager's office. Maintenance staff can go into the boiler room and guest rooms (to fix things), but not the restaurant kitchen.

In this analogy, the hotel is like a computer system or a network. The guests and staff are like users. The different areas are like files, folders, servers, applications, or databases. The hotel needs a way to identify everyone and control where they can go. This is exactly what IAM does.

How does the hotel identify people? Guests show their reservation and a photo ID at check-in. They get a key card. That key card is like a digital identity. The hotel's system knows that key card number 1234 belongs to Guest John Smith in room 305, and it will only open the front door, the pool door, and room 305. The key card is the authentication factor – it proves you are allowed to be there.

Now, what about housekeeping? They have their own key cards that open all guest rooms during certain hours, plus the supply closets. The manager has a master key that opens every door. The maintenance person has a key that opens the boiler room and any guest room that has reported a problem. These different key cards are like different roles in an IAM system. Each role has specific permissions.

When a new housekeeper is hired, the front desk manager creates a new key card. That is provisioning. When a housekeeper quits, the key card is deactivated. That is deprovisioning. If a guest extends their stay, their key card automatically keeps working. That is lifecycle management.

Suppose a guest tries to open the manager's office door. The key card does not work. The system does not even check who the guest is – it just denies access. That is access control based on permissions, not identity. The key card has a specific set of permissions, and the door only opens if the card has the right permission.

This hotel example maps directly to IAM in IT. Users have digital identities (like key cards). They authenticate (like showing ID at check-in). They are authorized based on roles (guest, housekeeper, manager). Permissions are managed centrally (the hotel's key system). And everything can be audited (the hotel can see which key card opened which door at what time).

Why This Term Matters

IAM matters because it is the primary defense against unauthorized access, which is the root cause of most security breaches. Without IAM, anyone who knows a username and password could potentially access any part of a system, leading to data theft, data corruption, or system destruction. In the modern IT landscape, where organizations have hundreds or thousands of employees, contractors, and third-party partners, managing identities and access manually is impossible. IAM automates and centralizes this control.

From a practical standpoint, IAM reduces the risk of insider threats, both malicious and accidental. It enforces the principle of least privilege, meaning users only have the access they need to do their jobs. This limits the potential damage if a user's credentials are compromised. It also helps prevent privilege creep, where users accumulate permissions over time without review.

IAM is also essential for compliance. Regulations like HIPAA, GDPR, PCI DSS, and SOX require organizations to control access to sensitive data and to provide audit trails. IAM systems provide the tools to enforce these controls and produce the necessary reports. Without IAM, meeting these compliance requirements would be extremely difficult and costly.

IAM improves user productivity. With single sign-on, users log in once and gain access to all the applications they need, without having to remember multiple passwords. Self-service password reset features reduce helpdesk calls. Automated provisioning means new employees get access quickly, and departing employees lose access just as quickly, reducing security gaps.

In cloud environments, IAM is even more critical because the perimeter is no longer a physical network boundary. Anyone with internet access and valid credentials can reach cloud resources. Cloud IAM services provide the tools to secure these resources, often with granularity down to individual API calls.

Finally, IAM is a foundational concept for IT security professionals. Understanding IAM is necessary for roles in security, system administration, cloud architecture, and compliance. It is a core topic in many IT certifications, including those listed in this glossary.

How It Appears in Exam Questions

IAM questions in certifications typically fall into several patterns. The most common is the scenario question where you are given a business requirement and asked to choose the correct IAM configuration. For example: A company wants to give an EC2 instance access to an S3 bucket. Which IAM entity should be used? The correct answer is an IAM role attached to the EC2 instance profile. A distractor might be an IAM user with access keys embedded in the application code. This tests your understanding of best practices.

Another common pattern is the policy interpretation question. You are shown a JSON policy document and asked what it allows or denies. For example, an IAM policy might have an Effect of Deny with a Condition that requests come from outside a specific IP range. The question will ask: what is the effect of this policy? You need to understand the evaluation logic, including how explicit denies override allows.

There are also comparison questions: What is the difference between an IAM role and an IAM user? When should you use a group versus a role? These require you to know the definitions and appropriate use cases.

Troubleshooting questions appear: Users in a group cannot access a resource even though the group has a policy that should allow it. What is the most likely cause? This could be a permissions boundary, a service control policy (in AWS), or an explicit deny elsewhere.

Multi-factor authentication (MFA) questions are common: When should you enforce MFA? What is the best MFA method for a given scenario? How does MFA affect IAM API access?

Federation and SSO questions: You need to know how SAML, OAuth, and OpenID Connect work at a high level. For example, which protocol is used for browser-based SSO? Answer: SAML.

Least privilege questions: You are given a set of permissions and asked to identify overly permissive policies. Or you are asked to design the minimum set of permissions needed for a specific task.

Finally, there are lifecycle questions: What happens to an IAM user when an employee leaves? How do you deprovision access? What is the purpose of an access key rotation policy?

Preparation tip: Practice reading IAM policies. Even if the exam does not have a policy editor, understanding the structure of a policy statement (Effect, Action, Resource, Condition) is critical. Also, know the default behavior: in AWS, an implicit deny applies unless there is an explicit allow. An explicit deny overrides any allow.

Practise IAM Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: A small company called 'BrightTech' uses AWS for its infrastructure. They have a team of three developers: Alice, Bob, and Charlie. The company wants to give each developer access to the AWS Management Console. They also want to ensure that only Alice can create new S3 buckets, but all developers can read and write objects to existing S3 buckets. They want to prevent anyone from deleting the production database.

BrightTech's IT administrator chooses to use AWS IAM. First, they create an IAM group called 'Developers'. They attach a managed policy called 'AmazonS3FullAccess' to the group. This allows all developers full access to S3. But wait, this is too broad. The administrator needs to be more specific.

Instead, they create a custom policy that allows s3:GetObject, s3:PutObject, and s3:ListBucket on all S3 buckets in the account. They attach this policy to the Developers group. Now Alice, Bob, and Charlie can upload and download files, and list bucket contents.

For Alice's special permission, the administrator creates a second policy that allows s3:CreateBucket on all resources. They attach this policy directly to Alice's IAM user. This is a key point: permissions can be attached at the user level or the group level. Permissions are additive across group and user policies.

To protect the production database, the administrator creates a policy that explicitly denies rds:DeleteDBInstance for all users. They attach this deny policy to the Developers group. Because an explicit deny always overrides an allow, no developer will be able to delete any database instance, even if another policy might allow it.

The administrator also enables MFA for all users. Each developer sets up a virtual MFA device on their phone. Now, when they log into the AWS console, they must enter their password and a six-digit code from their phone.

Finally, the administrator sets a password rotation policy that requires all users to change their password every 90 days. They also configure CloudTrail to log all API calls for auditing.

This scenario covers user creation, group management, policy creation, MFA enforcement, and password policies. Questions on these topics are very common in AWS certification exams.

Common Mistakes

Confusing IAM users with IAM roles

An IAM user is a permanent identity with long-term credentials (password or access keys), typically used by a person or an application that needs persistent access. An IAM role is a temporary identity that can be assumed by trusted entities like EC2 instances, Lambda functions, or users from another account. Using a user when a role is needed (or vice versa) can lead to security issues like long-term credentials being exposed on an EC2 instance.

Use IAM users for people who need a persistent identity to log into the console or use long-term access keys. Use IAM roles for applications running on AWS services that need temporary credentials, or for cross-account access.

Attaching policies directly to users instead of groups

Managing permissions attached to individual users becomes cumbersome as the number of users grows. It is easy to lose track of who has what permissions, leading to privilege creep. Group-based management is more scalable and easier to audit.

Create IAM groups that correspond to job functions (e.g., Developers, Admins, ReadOnly). Attach policies to the groups, then add users to the appropriate groups. This centralizes permission management.

Misunderstanding the IAM policy evaluation logic

Many learners think that an allow policy will always override a deny. In fact, an explicit deny overrides any allow. Also, if there is no explicit allow, the default is an implicit deny. Failing to understand this can lead to believing that a user has access when they actually do not, or vice versa.

Always check for explicit denies first. If any applicable policy has an explicit deny for an action, the action is denied regardless of any allows. If there is no explicit deny and no explicit allow, the action is implicitly denied.

Using the AWS root user for daily tasks

The root user has unrestricted access to the entire AWS account. Using it for routine operations violates the principle of least privilege and increases the risk of catastrophic errors or security breaches. Root user credentials are also not governed by IAM policies.

Create an IAM user for yourself with administrative permissions. Use the root user only for tasks that require it, such as changing account settings, closing the account, or changing support plans. Enable MFA on the root user immediately.

Not rotating access keys regularly

Access keys are long-term credentials. If they are compromised and not rotated, an attacker can use them indefinitely to access your resources. Many compliance standards require periodic key rotation.

Implement an access key rotation policy. Use IAM features to track key usage and set reminders. Consider using AWS Secrets Manager or similar services to manage secrets automatically.

Over-permissioning by using managed policies without review

AWS managed policies like AdministratorAccess or PowerUserAccess grant very broad permissions. Attaching these to users or groups without considering the actual needs violates the principle of least privilege and increases the attack surface.

Start with the minimum permissions needed. Use AWS managed policies as a starting point, but always review and consider creating custom policies that are more restrictive. Use IAM Access Analyzer to identify unused permissions.

Forgetting to set an explicit deny for sensitive actions

Relying solely on not granting allow permissions for sensitive actions may not be sufficient if another policy grants broader access. An explicit deny ensures that even if a broader allow policy is attached later, the sensitive action remains blocked.

For critical resources or actions, create an explicit deny policy and attach it to all users or groups. For example, deny DeleteBucket for production S3 buckets. This provides a safety net.

Exam Trap — Don't Get Fooled

{"trap":"In AWS exams, a common trap is a question where an IAM policy allows a specific action but there is also an S3 bucket policy that denies the same action for the same user. Many learners will say the action is allowed because the IAM policy says allow.","why_learners_choose_it":"Learners often focus on the IAM policy and forget that resource-based policies (like S3 bucket policies) also affect access.

They assume that if the IAM policy allows, the action is always allowed.","how_to_avoid_it":"Remember that both identity-based policies (IAM user/group/role policies) and resource-based policies must be evaluated. For access to be granted, there must be an explicit allow from at least one identity-based policy and at least one resource-based policy.

If either side has an explicit deny, the action is denied. In the case of S3, you need to check both the IAM policy and the S3 bucket policy. The question might also include a VPC endpoint policy or an Organizations SCP, adding more layers."

Commonly Confused With

IAMvsAAA (Authentication, Authorization, Accounting)

AAA is a framework for controlling access to computer resources, often used in network devices. IAM is a broader discipline that includes AAA but also covers identity lifecycle management, provisioning, governance, and federation. AAA is more focused on the real-time process of verifying identity and logging access.

When you log into a corporate VPN, the VPN gateway uses AAA to check your password (authentication), decide which networks you can reach (authorization), and log your connection (accounting). IAM would be the system that created your VPN account and decided you should have VPN access in the first place.

IAMvsRBAC (Role-Based Access Control)

RBAC is a specific model for authorization within IAM. IAM is the overall framework that includes identity management, authentication, and authorization. RBAC is just one way to implement the authorization part, where permissions are grouped into roles and users are assigned to roles. IAM can also use other models like ABAC or DAC.

In a hospital, the 'Doctor' role can view patient records and prescribe medication. IAM is the system that manages the doctor's identity (username, password) and ensures they can only access systems after logging in. RBAC is the part of IAM that says a doctor has those specific permissions because of their role.

IAMvsPAM (Privileged Access Management)

PAM is a subset of IAM focused specifically on managing and monitoring access for privileged users (e.g., system administrators, database admins). PAM often includes session recording, password vaulting, and just-in-time access elevation. IAM covers all users, both privileged and non-privileged.

A regular employee uses IAM to log into their email and file shares. A system administrator uses PAM to get temporary admin credentials to fix a server, and the PAM system records every command they run.

IAMvsSSO (Single Sign-On)

SSO is an IAM capability that allows a user to authenticate once and access multiple applications without re-entering credentials. IAM is the broader system that includes SSO but also includes user provisioning, identity governance, and access policies. SSO is a feature enabled by IAM protocols like SAML and OAuth.

When you log into your Google account and then automatically have access to Gmail, YouTube, and Google Drive, that is SSO. IAM is the system that created your Google account, manages your password, and decides which Google services you can use.

IAMvs2FA (Two-Factor Authentication)

2FA is an authentication method that requires two different factors to verify identity. IAM is the system that decides whether 2FA is required and integrates with 2FA providers. 2FA is a specific security control within an IAM framework.

An IAM policy might require 2FA for all users accessing the system from outside the office network. The 2FA itself is just the process of entering a code from your phone after typing your password.

Step-by-Step Breakdown

1

Identify the User

The process begins when a person or application wants to interact with a system. The system needs to know who or what is making the request. This is the identity part of IAM. The identity could be a human user, an application, a service, or even a device. Each identity has a unique identifier within the IAM system.

2

Authenticate the Identity

The system verifies that the identity is genuine by checking credentials. This could be a password, a biometric scan, a hardware token, or a combination of factors (MFA). If the credentials are valid, the identity is authenticated. If not, access is denied at this point. This step establishes that the user is who they claim to be.

3

Determine the Context

Before making an authorization decision, the IAM system gathers context about the request. This includes the user's attributes (role, department, clearance level), the resource being accessed (file, server, API), the action requested (read, write, delete), and environmental conditions (time of day, IP address, device type). Context is especially important in ABAC models.

4

Evaluate Policies

The IAM system checks all applicable policies against the authenticated identity and the context. Policies are a set of rules that define allowed or denied actions. These could be identity-based policies attached to the user or group, resource-based policies attached to the resource, or organization-wide policies. The system evaluates these policies to determine if the request should be allowed or denied.

5

Make an Authorization Decision

Based on the policy evaluation, the system makes a decision: Allow or Deny. If there is an explicit deny, the decision is Deny immediately. If there is no explicit deny but at least one explicit allow, the decision is Allow. If there is no explicit allow and no explicit deny, the default is an implicit Deny. The decision is enforced by the system.

6

Grant or Deny Access

If the decision is Allow, the system grants access to the requested resource with the requested actions. The user can now perform the action. If the decision is Deny, the system blocks the action and usually returns an error message like 'Access Denied' or 'Unauthorized'. The user cannot proceed.

7

Log the Event

The IAM system records the event, including the identity, the action, the resource, the time, and the decision (Allow or Deny). This audit log is stored for security analysis, compliance reporting, and troubleshooting. Logging is the 'Accounting' component of AAA and a critical part of IAM.

8

Monitor and Review

IAM is not a one-time setup. Administrators must continuously monitor access patterns, review permissions, and adjust policies. This includes checking for unused permissions, detecting anomalous behavior, and periodically recertifying user access. This step ensures that IAM remains effective over time.

Practical Mini-Lesson

In practice, IAM is implemented using a combination of tools and processes. The first step for any organization is to define an identity strategy. This includes deciding whether to use an on-premises directory (like Active Directory), a cloud-based identity provider (like Azure AD or Okta), or a hybrid approach. The identity store becomes the source of truth for user accounts.

Once the identity store is established, administrators create users and groups. In a cloud environment like AWS, you can create IAM users and groups directly in the console. In Microsoft environments, you typically create users in Active Directory and then synchronize to Azure AD. For security, it is critical to enforce strong password policies and enable MFA for all users, especially those with administrative privileges.

Permissions are managed through policies. In AWS, policies are JSON documents that specify allowed or denied actions on resources. In Azure, RBAC roles are defined with a similar set of permissions. The key principle is least privilege: start with a minimal set of permissions and add more only as needed. Regularly review policies to remove unused permissions.

For applications and services, use IAM roles instead of long-term credentials. For example, an EC2 instance that needs to read from an S3 bucket should be assigned an IAM role that allows those actions. The instance automatically receives temporary credentials via the instance metadata service. This is much more secure than storing access keys on the instance.

Federation is a common requirement for organizations that use multiple cloud providers or SaaS applications. For example, a company that uses Office 365 might want to allow employees to log in using their corporate Active Directory credentials. This is achieved by setting up federation between the corporate IdP and the service provider using SAML or OAuth. The IdP handles authentication and passes identity information to the service provider.

What can go wrong? One common issue is permission conflicts when multiple policies are applied. For example, a user might have an allow policy from their group but a deny policy from a different group or a permissions boundary. Understanding the evaluation order is crucial. Another issue is over-provisioning: giving users more permissions than they need, which increases security risk. Also, failing to deprovision users who have left the organization can create serious vulnerabilities.

Auditing is a continuous process. Use logging services like AWS CloudTrail, Azure Monitor, or on-premises SIEM tools to track IAM events. Set up alerts for suspicious activities, such as multiple failed login attempts or access from unusual locations. Regularly run access reviews to confirm that each user still needs their current permissions.

Finally, remember that IAM is not just about technology. It requires organizational policies and procedures, such as a formal onboarding and offboarding process. Automation can help, but human oversight is necessary to ensure that the system is working as intended.

Core IAM Principles and Architecture

AWS Identity and Access Management (IAM) is the foundational security service for controlling access to AWS resources. At its core, IAM enables you to securely manage identities, define permissions, and enforce access controls across your AWS environment. The service operates on the principle of least privilege, meaning users and services should only be granted the minimal permissions necessary to perform their intended tasks. IAM is a global service, meaning its configuration applies across all AWS regions, and it is free to use, you only pay for other AWS services accessed through IAM.

IAM consists of several key components: users, groups, roles, and policies. An IAM user represents a person or service that interacts with AWS. Users can have console passwords for the AWS Management Console and access keys for programmatic access via AWS CLI, SDKs, or APIs. IAM groups are collections of users that allow you to manage permissions collectively. Instead of attaching policies to each individual user, you attach them to a group, and all members inherit those permissions. This simplifies administration and ensures consistency.

IAM roles are similar to users but are intended to be assumed by trusted entities such as AWS services, applications, or users from another account. Roles do not have permanent credentials; instead, they provide temporary security credentials through AWS Security Token Service (STS). This makes roles ideal for cross-account access, EC2 instance profiles, Lambda execution roles, and federation with identity providers. Roles are a critical concept for secure architectures and frequently appear in AWS certification exams.

Policies are JSON documents that define permissions. There are two types: identity-based policies (attached to users, groups, or roles) and resource-based policies (attached to resources like S3 buckets or KMS keys). Policies can be managed policies (AWS-managed or customer-managed) or inline policies (embedded directly in a user, group, or role). Managed policies are reusable and can be attached to multiple entities, while inline policies are tightly coupled to a single entity. The policy evaluation logic includes default deny, explicit allow, and explicit deny, with explicit denies always overriding allows.

For AWS Cloud Practitioner and Developer Associate exams, understanding the difference between users and roles is essential. For Security+ and CISSP, the focus shifts to policy best practices and least privilege. For Azure and Google Cloud exams, the concepts are analogous but with different service names (Azure RBAC, Google Cloud IAM). The key architectural takeaway is that IAM is the single point of control for authentication and authorization in AWS, and misconfigurations can lead to severe security vulnerabilities.

How IAM Policy Evaluation Logic Works

Understanding how IAM policies are evaluated is crucial for both security and exam success. AWS uses a rigorous, deterministic policy evaluation engine that processes every request. The engine starts with a default implicit deny, meaning that unless explicitly allowed, an action is denied. The evaluation proceeds through several steps: first, all applicable policies are collected, including identity-based policies, resource-based policies, permissions boundaries, and service control policies (SCPs) for organizations. Then, the engine checks for any explicit deny statements. If an explicit deny is found, the request is immediately denied, regardless of any allows. Next, it checks for explicit allow statements. If an explicit allow exists and no explicit deny applies, the request is allowed. If there is neither an explicit allow nor an explicit deny, the default implicit deny takes effect, and the request is denied.

This logic is often tested in exam scenarios. For example, a question might present a policy that allows s3:GetObject but also has a condition that denies access if the request comes from an IP address outside a specific range. The explicit deny for IP addresses outside the range will override the allow, resulting in denied access. Another common exam topic is the effect of permissions boundaries. A permissions boundary is a managed policy that defines the maximum permissions an IAM entity can have. Even if a user or role has a policy that grants full S3 access, if a permissions boundary restricts it to read-only, the effective permissions are the intersection of the two, effectively the more restrictive set. The boundary does not grant permissions; it only limits them.

Resource-based policies, such as S3 bucket policies, are evaluated separately and can grant access to principals in other accounts. When both identity-based and resource-based policies are present, the evaluation allows access if either policy grants it (unless an explicit deny exists). This is known as the "allow from either side" rule. For cross-account access, the principal in the resource-based policy must include the external account ID, and the identity-based policy must explicitly allow the action for the external principal. This is a common source of confusion in exams.

Service control policies (SCPs) are used in AWS Organizations to set permissions guardrails for member accounts. SCPs are evaluated after resource-based and identity-based policies but before the default implicit deny. They cannot grant permissions, they only define the maximum allowed. If an SCP denies an action, it cannot be allowed by a lower-level policy. This layering of policies creates a sophisticated access control system that requires careful planning. For Azure and Google Cloud exams, similar concepts exist (e.g., Azure Policy, Google Cloud Organization Policy), but AWS IAM policy evaluation is arguably the most detailed. Mastering this logic is essential for the AWS Solutions Architect Associate and SysOps Administrator exams.

Essential IAM Best Practices for Exams and Real World

Implementing IAM best practices is a core competency tested in every AWS certification, from Cloud Practitioner to Professional level. The AWS Well-Architected Framework and Security Hub provide guidance, but the most critical best practices are rooted in the principle of least privilege. Never use the root user for daily tasks. Instead, create IAM users with necessary permissions and enable multi-factor authentication (MFA) for all privileged users. The root user should only be used for tasks that require it, such as changing account settings or closing the account. Enabling MFA on the root account is a mandatory security best practice.

Use IAM roles instead of sharing long-term access keys. For EC2 instances, use instance profiles that grant temporary credentials via STS. For Lambda functions, use execution roles. This eliminates the need to embed keys in code or configuration files. Implement a strong password policy that enforces complexity, rotation, and reuse prevention. Use password policies in the IAM console to define requirements like minimum length, special characters, and expiration period. For programmatic access, rotate access keys regularly and delete unused keys.

Apply permissions boundaries to restrict maximum permissions. This is especially useful in multi-account environments where you want to prevent developers from escalating privileges. Use managed policies when possible because they are versioned and updatable by AWS, reducing administrative overhead. Create customer-managed policies when AWS-managed policies are too permissive. Use groups to assign permissions, never attach policies directly to users. This simplifies auditing and permission management.

Implement a least privilege strategy using AWS IAM Access Analyzer. This tool identifies resources shared with external principals and helps refine policies. Use IAM policy simulators to test policies before applying them. The IAM policy simulator is an interactive tool that lets you evaluate the effects of policies on users, groups, and roles. It is a common exam scenario where you must simulate a policy to see if it grants the desired access. Also, enable AWS CloudTrail to log all IAM actions and monitor for unusual activity. Use AWS Config rules to automatically check for non-compliant IAM configurations, such as policies that are overly permissive.

Finally, implement regular access reviews. Remove unused users, deactivate old access keys, and audit IAM policies for excessive permissions. For organizations, use AWS Organizations and SCPs to enforce baseline security policies across all accounts. For Azure and Google Cloud, comparable practices exist (Azure RBAC roles, Google Cloud IAM roles), but the terminology and implementation details differ. These best practices are frequently tested in the Security+ and CISSP exams as part of identity and access management domain. Adhering to them not only protects your environment but also demonstrates a security maturity that examiners look for.

IAM Cross-Account Access and Federation Strategies

Managing access across multiple AWS accounts and integrating with external identity providers is a complex but exam-heavy topic. Cross-account IAM roles are the primary mechanism for granting access to resources in another account. The process involves creating a role in the target account with a trust policy that specifies the source account or external identity provider as the principal. Then, users or services in the source account must be granted permission to assume that role via sts:AssumeRole. This allows seamless access without sharing long-term credentials.

For example, a central security account might have a role that auditors can assume to read CloudTrail logs from all member accounts. The trust policy would include the auditor account ID, and the role's permissions policy would grant read-only access to CloudTrail. The auditor must have an IAM policy allowing sts:AssumeRole for that specific role ARN. This pattern is essential for centralized logging, backup management, and DevOps pipelines that deploy across accounts.

Another critical topic is identity federation. AWS supports federation through SAML 2.0, OpenID Connect (OIDC), and web identity federation. SAML federation is commonly used in enterprise environments where users authenticate against an on-premises Active Directory or third-party IdP (e.g., Okta, Azure AD). The federation process involves configuring a SAML identity provider in IAM, creating a role with trust policies for that IdP, and mapping attributes from the SAML assertion to IAM roles. Users then receive temporary STS credentials after successful authentication. This is a frequent exam scenario for AWS Developer Associate and Solutions Architect Associate.

OIDC federation is similar but is used for web and mobile applications that use tokens from providers like Google, Facebook, or Amazon Cognito. Cognito is the recommended service for customer-facing identity management, but IAM federation is used for internal workforce access. For Azure and Google Cloud, federation is achieved through Azure AD B2B and Google Cloud IAM with external identity providers, but the underlying concepts of trust policies and attribute mapping are consistent.

A common exam trick involves understanding that cross-account roles require both the trust policy (in the target account) and the permission policy (in the source account). If an admin complains that a user cannot assume a role, the issue is often that the user lacks the sts:AssumeRole permission or the trust policy does not include the user's account. Also, remember that roles do not have permanent passwords or access keys, they provide temporary credentials that expire. This is a key differentiator from IAM users. For CISSP and Security+, the concept of federated identity management and single sign-on (SSO) is central. AWS SSO (now AWS IAM Identity Center) is the recommended service for managing workforce access across multiple accounts and applications. It integrates with existing identity sources and provides a portal for users to access assigned accounts. This is the modern approach and is heavily emphasized in the AWS SysOps and Solutions Architect exams.

Troubleshooting Clues

Access Denied Error When Assuming Role

Symptom: User receives 'AccessDenied' when trying to switch roles or call sts:AssumeRole from CLI.

This typically means either the user lacks the iam:PassRole or sts:AssumeRole permissions in their identity-based policy, or the trust policy of the target role does not include the user's account or user ARN. Also, SCPs in the source or target account might block the action.

Exam clue: Exams present this as a multi-account scenario where a developer cannot use a role in another account. The answer often involves checking both the trust policy and the user's permissions.

IAM User Cannot Access Console After Creating

Symptom: Newly created IAM user with console access can log in but sees a blank dashboard or receives 'Access Denied' on most services.

By default, IAM users have no permissions. The user must have policies attached that grant access to specific services. The login itself is successful (authentication), but authorization fails due to missing policies.

Exam clue: This is a classic 'least privilege' example. Exams ask what is missing when a user can't perform any actions. The answer: attach a policy that grants required permissions.

EC2 Instance Cannot Access S3 Bucket Even with Role

Symptom: An EC2 instance with an IAM role attached fails to read from an S3 bucket, returning 403 errors.

Possible causes: the role's policy does not include the required S3 actions (e.g., s3:GetObject), the S3 bucket policy denies access to the role's ARN, or the instance's role was not properly attached (e.g., instance profile missing). Also, the role's trust policy might be misconfigured.

Exam clue: Exam questions often combine IAM roles with S3 bucket policies. The trap is forgetting that both identity-based (role policy) and resource-based (bucket policy) come into play, and explicit denies on the bucket policy override role permissions.

Federation Login Fails with SAML

Symptom: Users from an external SAML identity provider cannot log into AWS console; they receive a generic authentication error.

Common causes: the SAML metadata document in IAM is outdated or incorrect, the trust policy of the SAML role does not match the identity provider name, or the attribute mapping in the SAML assertion does not match the role's condition keys. Also, the IAM SAML provider must be created with the exact metadata XML.

Exam clue: Exams test the steps for SAML federation: create IdP, create role with trust policy for that IdP, map attributes. A failure indicates a mismatch in the trust policy or metadata.

Permissions Boundary Prevents Policy from Granting Full Access

Symptom: An administrator attaches a policy that grants full S3 access to a user, but the user still cannot delete objects.

A permissions boundary is applied to the user or role that explicitly limits maximum permissions. Even if the attached policy allows deletion, the boundary policy denies it. The effective permissions are the intersection of the boundary and the attached policy.

Exam clue: This is a common exam twist: a user has a policy that should grant access but is still blocked. The answer is that a permissions boundary or SCP is restricting. Questions often ask what the effective permission is when both exist.

Access Key Rotation Fails with 'InvalidKeyId' Error

Symptom: When trying to rotate an IAM user's access key, the CLI or console throws an error saying the key ID is invalid.

This usually happens when trying to use an access key that has already been deleted or when the user does not have iam:UpdateAccessKey permissions. Also, if the user is trying to rotate a key that is marked as 'Inactive', it cannot be used for signing requests.

Exam clue: Exams test the concept that access keys must be rotated properly using create, update, and delete operations. The invalid key error indicates the key was removed or permissions are insufficient.

IAM User Cannot Create New Users Even With Admin Policy

Symptom: A user with an 'AdministratorAccess' policy attached receives an error when trying to create new IAM users via the console or CLI.

If the user is accessing the account through an assumed role or has a permissions boundary that restricts IAM actions, even 'AdministratorAccess' can be overridden. Alternatively, if the account is part of an AWS Organization, an SCP might prohibit iam:* actions. Also, check if the user's session has expired or if MFA is required but not provided.

Exam clue: Exams often present a scenario where a user with full admin rights cannot perform specific administrative tasks. The answer usually involves SCPs or permissions boundaries, not a missing policy.

Cross-Account Role Assumption Returns 'Not authorized'

Symptom: When using AWS CLI to assume a cross-account role, the command fails with 'Not authorized to perform sts:AssumeRole'.

This indicates that either the source account's identity-based policy does not include sts:AssumeRole for the target role ARN, or the target role's trust policy does not include the source account ID. If the target account has SCPs that deny sts:AssumeRole for the source account, the request will fail.

Exam clue: This is a staple of multi-account exam questions. The fix involves verifying both the trust policy and the user's permissions, plus checking SCPs at the organizational level.

Memory Tip

Think of IAM as a hotel key card system: your identity is on the card, and the doors you can open are your permissions. The front desk (authentication) gives you the card, and the door locks (authorization) check it.

Learn This Topic Fully

This glossary page explains what IAM means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.An IAM user is part of a group that has a policy allowing s3:GetObject on a specific bucket. The user is also directly attached to a policy that denies s3:GetObject for that same bucket. What is the effective permission?

2.Which of the following is the primary reason to use IAM roles instead of IAM users for EC2 instances?

3.A company wants to allow users from an external identity provider (IdP) to access their AWS account using SAML 2.0 federation. What must be created in IAM first?

4.An administrator creates a permissions boundary for a developer role that allows only EC2 and S3 actions. The developer then attaches a policy granting full IAM access. What are the effective permissions for the developer?

5.Which IAM feature should be used to automatically detect policies that grant access to external principals?

6.An IAM role has a trust policy that allows an EC2 instance to assume it. Which service provides the temporary credentials after the role is assumed?

Frequently Asked Questions

What is the difference between authentication and authorization?

Authentication is the process of verifying who you are (e.g., checking your password). Authorization is the process of determining what you are allowed to do after you are authenticated (e.g., deciding if you can read a file). In short, authentication answers 'Who are you?' while authorization answers 'What can you do?'

What is the principle of least privilege?

The principle of least privilege means that a user or system should be given only the minimum permissions necessary to perform their job function. This reduces the risk of accidental or malicious damage. If a user only needs to read a file, do not give them write or delete permissions.

What is the difference between an IAM user and an IAM role in AWS?

An IAM user is a permanent identity with long-term credentials (password or access keys), typically used by a person or application that needs persistent access. An IAM role is a temporary identity that can be assumed by trusted entities, like an EC2 instance, a Lambda function, or a user from another AWS account. Roles provide temporary security credentials.

What is federation in IAM?

Federation is a process that allows users from one organization (the identity provider) to access resources in another organization (the service provider) without having separate credentials. It relies on trust relationships and standards like SAML or OAuth. For example, employees can use their corporate login to access a SaaS application.

What is MFA and why is it important?

MFA stands for Multi-Factor Authentication. It requires users to provide two or more verification factors (e.g., a password and a code from their phone) to log in. MFA is important because it adds an extra layer of security. Even if a password is stolen, the attacker cannot log in without the second factor.

What is the default IAM behavior when no policy allows an action?

The default is an implicit deny. If no policy explicitly allows an action, the action is denied. This means you must explicitly grant permissions for any action you want to allow. An implicit deny can be overridden by an explicit allow, but an explicit deny overrides everything.

What is identity governance?

Identity governance is the process of managing and reviewing user identities and their access rights to ensure they are appropriate. It includes access certifications, policy enforcement, and auditing. Identity governance helps organizations comply with regulations and reduce security risks by ensuring that users have the right access at all times.