Cloud security starts with one thing:
Who can access what?
Thatβs exactly where IAM (Identity and Access Management) comes in.
Whether you're:
- a Cloud Engineer βοΈ
- DevOps Engineer βοΈ
- Security Engineer π‘οΈ
- Backend Developer π¨βπ»
- or preparing for AWS certifications π
Understanding IAM is absolutely mandatory.
And once IAM is understood, the next powerful step is using the AWS CLI to interact with AWS directly from your terminal like a real cloud engineer.
In this guide we'll cover:
- What IAM is
- IAM Users
- IAM Roles
- IAM Policies
- MFA (Multi-Factor Authentication)
- AWS CLI setup
- Real-world best practices
- Security mistakes beginners make
π Resources
GitHub Repo:
https://github.com/17J/30-Days-Cloud-DevSecOps-JourneyAWS Command Sheet:
https://aws-command.vercel.app/
βοΈ What is IAM?
IAM stands for:
Identity and Access Management
It is the AWS service used to control:
- Authentication β Who are you?
- Authorization β What can you do?
Think of IAM as the security guard of AWS.
Without IAM, anyone could access:
- EC2 servers
- S3 buckets
- Databases
- Secrets
- Billing data
And that would become a disaster very quickly.
π’ Real-World Example
Imagine a company has:
- Developers
- DevOps Engineers
- Security Team
- Finance Team
- Interns
Should everyone get full AWS admin access?
β Absolutely not.
Instead:
| Team | Access |
|---|---|
| Developers | EC2 + Logs |
| DevOps | Infrastructure |
| Finance | Billing only |
| Security | Audit + Monitoring |
| Interns | Read-only |
IAM makes this possible.
π§ Core IAM Components
AWS IAM mainly consists of:
IAM
βββ Users
βββ Groups
βββ Roles
βββ Policies
βββ MFA
π€ IAM Users
An IAM User represents a person or application that needs access to AWS.
Examples:
- Rahul
- DevOps Engineer
- CI/CD Pipeline
- Jenkins Server
- Terraform Automation
Each IAM user can have:
- Password
- Access Keys
- Permissions
- MFA
π Types of IAM Access
1οΈβ£ Console Access
Used for:
- AWS Web Dashboard login
Example:
https://aws.amazon.com/console/
Uses:
- Username
- Password
- MFA
2οΈβ£ Programmatic Access
Used for:
- AWS CLI
- SDKs
- Terraform
- CI/CD Pipelines
Uses:
- Access Key ID
- Secret Access Key
Example:
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
β οΈ Important Security Rule
Never use the Root Account for daily work.
Root account has unlimited permissions.
If compromised:
π Entire AWS account can be destroyed.
Instead:
β Create IAM users.
π₯ IAM Groups
Groups help manage permissions more easily.
Instead of assigning permissions individually:
Rahul β EC2 Access
Aman β EC2 Access
Riya β EC2 Access
You create:
Developers Group β EC2 Access
Then add users to the group.
Much cleaner.
π‘οΈ IAM Policies
Policies define permissions.
They are written in JSON.
Policies answer:
What actions are allowed or denied?
π Example IAM Policy
This policy gives read-only access to S3 buckets:
π§ Understanding Policy Structure
| Component | Meaning |
|---|---|
| Effect | Allow or Deny |
| Action | AWS API actions |
| Resource | Which resources |
| Statement | Permission block |
π« Principle of Least Privilege
One of the most important cloud security principles.
Meaning:
Give only the permissions that are actually required.
Bad Example β
"Action": "*",
"Resource": "*"
This gives full admin access.
Good Example β
"s3:GetObject"
Only specific access.
π IAM Roles
Roles are extremely important in AWS.
A Role is a temporary identity with permissions.
Unlike users:
- Roles do NOT have passwords
- Roles do NOT have permanent access keys
Instead:
β AWS provides temporary credentials automatically.
π§ Why Roles Matter
Roles are heavily used for:
- EC2 instances
- Lambda functions
- ECS containers
- Cross-account access
- Kubernetes workloads
- CI/CD systems
π Example: EC2 Accessing S3
Suppose an EC2 server needs access to an S3 bucket.
β Wrong Approach:
Store AWS keys inside server files.
Huge security risk.
β Correct Approach:
Attach an IAM Role to EC2.
AWS automatically provides temporary credentials securely.
π User vs Role
| IAM User | IAM Role |
|---|---|
| Permanent identity | Temporary identity |
| Has password/access keys | Temporary credentials |
| Used by humans | Used by services/apps |
| Long-term access | Short-term access |
π MFA (Multi-Factor Authentication)
MFA adds an extra security layer.
Instead of only:
Password
You also need:
OTP / Authenticator Code
π± Common MFA Methods
| MFA Type | Example |
|---|---|
| Authenticator App | Google Authenticator |
| Hardware Key | YubiKey |
| SMS | OTP Messages |
β οΈ Why MFA is Critical
Even if hackers steal passwords:
β They still cannot login without MFA.
AWS strongly recommends enabling MFA for:
- Root Account
- Admin Users
- Production Accounts
π₯ Real Industry Fact
Many cloud breaches happen because:
- Access keys leaked
- No MFA enabled
- Over-permissioned IAM users
Cloud security failures are often identity failures.
π» What is AWS CLI?
AWS CLI stands for:
AWS Command Line Interface
It allows you to manage AWS directly from the terminal.
Instead of clicking in the console:
You can automate everything:
aws s3 ls
π Why AWS CLI is Powerful
With CLI you can:
- Automate infrastructure
- Create scripts
- Manage EC2
- Upload to S3
- Configure IAM
- Integrate CI/CD
- Manage Kubernetes
- Use Terraform pipelines
Professional cloud engineers use CLI daily.
π οΈ Installing AWS CLI
π§ Linux
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install
πͺ Windows
Download from:
π macOS
brew install awscli
β Verify Installation
Run:
aws --version
Example:
aws-cli/2.27.0 Python/3.x
βοΈ Configure AWS CLI
π AWS CLI Configuration Files
AWS stores credentials here:
~/.aws/credentials
And config here:
~/.aws/config
β οΈ Never Commit AWS Keys to GitHub
One of the biggest beginner mistakes.
If keys leak publicly:
- Attackers can use your AWS account
- Crypto mining attacks happen
- Huge AWS bills occur
Use:
- IAM Roles
- Secrets Managers
- Environment Variables
Instead.
π§ͺ Useful AWS CLI Commands
List S3 Buckets
aws s3 ls
List EC2 Instances
aws ec2 describe-instances
List IAM Users
aws iam list-users
Get Current Identity
aws sts get-caller-identity
This is extremely useful for debugging permissions.
π§ AWS STS (Security Token Service)
STS provides temporary credentials.
Used heavily with:
- IAM Roles
- Federation
- Kubernetes IAM
- Cross-account access
This is one of the most important concepts in enterprise AWS security.
π’ Real Enterprise IAM Practices
Large companies usually implement:
β
SSO (Single Sign-On)
β
MFA everywhere
β
Role-based access
β
Temporary credentials
β
Permission boundaries
β
IAM Access Analyzer
β
Audit logging with CloudTrail
π₯ Common IAM Mistakes
β Using Root Account Daily
Very dangerous.
β Giving AdminAccess to Everyone
Creates massive attack surface.
β Hardcoding AWS Keys
Common breach reason.
β No MFA
Huge security risk.
β Overly Permissive Policies
Avoid:
"Action": "*"
βοΈ IAM + DevOps + Security
IAM connects with almost everything in AWS:
| Service | IAM Usage |
|---|---|
| EC2 | Instance Roles |
| Lambda | Execution Roles |
| Kubernetes (EKS) | IAM Service Accounts |
| Terraform | Automation Access |
| CI/CD | Pipeline Permissions |
| CloudTrail | Audit Logs |
IAM is the backbone of AWS security.
π§ Final Thoughts
If networking is the foundation of cloudβ¦
Then IAM is the foundation of cloud security.
Most real-world AWS problems are not caused by:
- EC2
- Kubernetes
- Lambda
Theyβre caused by:
β Wrong permissions
β Exposed credentials
β Weak access control
Mastering IAM early will make you a much stronger:
- Cloud Engineer
- DevOps Engineer
- Security Engineer
- Platform Engineer
And AWS CLI will help you automate everything professionally.
