█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/Cybersecurity/Identity and Access Management/Hands-on: AWS IAM Policies
50 minIntermediate

Hands-on: AWS IAM Policies

After this lesson, you will be able to: Write AWS IAM policies that grant least-privilege access, attach them to roles, and verify enforcement in the IAM Policy Simulator.

AWS IAM is the most expressive policy language in mainstream cloud and the source of countless misconfiguration breaches when written badly. This lesson covers users vs groups vs roles, policy structure, the Policy Simulator, and the workflow real security engineers use to harden permissions in production.

Prerequisites:What is IAM?

Users, groups, roles, the actual mental model

A user is a long-lived identity with a password or access key. A group is a bundle of users that share the same policies. A role is an identity any principal (user, EC2 instance, Lambda, another AWS account) can assume temporarily to get short-lived credentials. Best-practice modern AWS: humans federate from an IdP via IAM Identity Center, services use roles. Long-lived access keys are an anti-pattern almost everywhere.

IdP
Entra / Okta
→
IAM Identity Center
→
Permission set
→
Assume role
short-lived STS creds
→
AWS API
Federated access to AWS. Users log in at the IdP once and get temporary credentials, so there are no long-lived AWS keys to leak.

Anatomy of an IAM policy

Every IAM policy is JSON with five fields. Read this slowly, every word matters.

json
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "ReadOneBucket",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::my-data-bucket",
"arn:aws:s3:::my-data-bucket/*"
],
"Condition": {
"IpAddress": { "aws:SourceIp": ["203.0.113.0/24"] }
}
}]
}

⚠️ Wildcard is the original sin

`"Action": "*"` or `"Resource": "*"` is convenient and dangerous. Read every policy you see and ask: could a smaller scope do the job? AWS Access Analyzer generates least-privilege policies automatically from CloudTrail history, use it on legacy policies.

Build and test a least-privilege policy

Spin up a free-tier AWS account if you don't have one. Use it strictly for learning, never store real data.

  1. 1

    Create an S3 bucket called 'iam-lab-<your-initials>' and upload a sample text file

  2. 2

    IAM > Policies > Create policy > JSON. Paste the policy above with your bucket ARN

  3. 3

    Name it S3-LabBucket-Read

  4. 4

    Create a new IAM user lab-reader, attach the policy directly (skip a group for this drill)

  5. 5

    Open the IAM Policy Simulator (policysim.aws.amazon.com) and simulate s3:GetObject on your bucket as lab-reader, confirm Allowed

  6. 6

    Simulate s3:DeleteObject on the same bucket, confirm Denied

  7. 7

    Generate an access key for lab-reader temporarily, configure the AWS CLI with it, run `aws s3 ls s3://iam-lab-<initials>` and confirm it works; then run `aws s3 rm` and confirm it fails

  8. 8

    Delete the access key when you're done

Common misconfigurations that breach companies

S3 bucket with `"Principal": "*"` in its bucket policy (any AWS account can read). EC2 instance role with `AdministratorAccess` attached for convenience (an SSRF on that instance = full account compromise). Cross-account role with weak ExternalId or no Conditions (third-party SaaS like Datadog or Wiz needs ExternalId enforced). Long-lived access keys committed to public GitHub (still the #1 source of cloud breaches per Mandiant, 2025). Use AWS IAM Access Analyzer + GuardDuty to catch all of these.

Quick Check

Which IAM construct should an EC2 instance use to call S3?

Pick the right pattern for service-to-service auth.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←Hands-on: Microsoft Entra ID
Back to Identity and Access Management
OAuth 2.0 and OIDC Flows→