█
LastWrite
  • > Curriculum
  • > Pricing
  • > For Educators
  • > About
  • > Contact
Log InGet Started

Questions, concerns, bug reports, or suggestions? We read every message, write to us at [email protected].

More ways to reach us →
LastWrite

Structured computer science lessons for aspiring developers and security professionals.

[email protected]

(201) 785-7951

Mon–Fri, 9 AM–5 PM EST

Learn

  • Curriculum
  • Pricing

Company

  • About
  • For Educators & Schools
  • Contact Us

Legal

  • Terms of Service
  • Privacy Policy
© 2026 LastWrite. All rights reserved.
Curriculum/DevOps and Infrastructure/Cloud Platforms — AWS/IAM in Depth
55 minIntermediate

IAM in Depth

After this lesson, you will be able to: Apply IAM users, roles, policies, the principle of least privilege, service roles, and instance profiles in real AWS workflows.

IAM is the foundation of every AWS deploy. A misconfigured IAM policy is the most common source of cloud breaches. This lesson covers the model properly.

Prerequisites:AWS Core Services

The four IAM primitives

User: a human or programmatic identity. Has long-lived credentials (password / access key). Group: a bundle of users that share policies. Lets you manage permissions at a team level. Role: an identity that can be ASSUMED by users, services, or external parties. Yields temporary credentials. Policy: JSON document declaring what's allowed / denied. Attached to users, groups, or roles.

Anatomy of a real IAM policy

Read this slowly; every field matters.

css
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ReadOneBucket",
"Effect": "Allow",
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::my-data-bucket",
"arn:aws:s3:::my-data-bucket/*"
],
"Condition": {
"IpAddress": { "aws:SourceIp": ["203.0.113.0/24"] }
}
}
]
}
# Effect: Allow or Deny (Deny wins over Allow)
# Action: which API calls (s3:GetObject, ec2:*, etc.)
# Resource: which ARNs (bucket arn for bucket-level; arn/* for object-level)
# Condition: extra constraints (IP, time, MFA, tags)

Wildcards are the original sin

`"Action": "*"` or `"Resource": "*"` means 'everything'. Convenient; dangerous. Read every policy you see and ask: could a smaller scope do the job? AWS IAM Access Analyzer generates least-privilege policies from CloudTrail history. Use it on every legacy policy. The single most common cloud breach pattern: an over-permissive IAM role assumed by a compromised service.

Roles vs users: when to use which

User: for humans. Long-lived credentials. Add MFA. Rotate keys. Role: for everything else. Services (EC2, Lambda, ECS Pods) assume roles. Get short-lived credentials automatically. No keys to rotate. Modern best practice: zero long-lived AWS access keys. Humans federate from SSO (Identity Center / Okta) into roles. Services use instance profiles / IRSA / task roles. If you have to write `AKIAxxxx` keys into a config file, you're doing it the old way.

Instance profile: how EC2 gets credentials without keys

Attach a role to the EC2 instance; SDK auto-assumes it.

json
# 1. Create a role with trust policy 'EC2 can assume me'
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": { "Service": "ec2.amazonaws.com" },
"Action": "sts:AssumeRole"
}]
}
# 2. Attach a permissions policy (e.g. S3 read for one bucket)
# 3. When launching EC2 (or in instance settings), attach the role.
# 4. SDK on the instance (aws-sdk in Node, boto3 in Python) auto-fetches
# credentials from the instance metadata service (IMDSv2).
# Result: no AWS keys on the instance. Credentials rotate automatically.
# Same pattern for Lambda (execution role), ECS task role, EKS Pod IAM (IRSA).

💡 MFA + Identity Center > IAM users

For human access, set up IAM Identity Center (formerly AWS SSO). Federate from Okta / Entra ID / Google / Microsoft. Users get a portal; click into accounts + roles. Short-lived credentials per session. Identity Center is free; works across an entire AWS Organization. If you're still managing IAM users for humans in 2026, migrate.

Common mistakes only experienced engineers avoid

Long-lived access keys committed to public repos. Top source of cloud breaches. AdministratorAccess attached to every role 'just in case'. Audit weekly with IAM Access Analyzer. Trust policies with Principal: *. Anyone (any AWS account) can assume the role. Always specify the account ID or condition. Inline policies vs managed: prefer managed (reusable, versioned). No conditions on MFA-required actions. Use `aws:MultiFactorAuthPresent` condition on destructive operations.

Quick Check

Your Lambda function needs to read from one S3 bucket. What's the right pattern?

Pick the modern approach.

Sign in and purchase access to unlock this lesson.

Sign in to purchase
←AWS Core Services
Back to Cloud Platforms — AWS
EC2→