Episode 28: IAM Basics: Users & Groups
Identity and Access Management, or IAM, is the foundation of AWS security. It provides the building blocks for controlling who can access resources and what actions they can perform. At the simplest level, IAM organizes access through users, groups, roles, and policies. For the AWS Certified Cloud Practitioner exam, you don’t need to write policies in detail, but you should understand the purpose of IAM users and groups, how policies are attached, and why best practices like least privilege and MFA are so critical. IAM is the front door to AWS, and securing it correctly is essential.
IAM users represent long-term identities for individual people. Each user has credentials, such as a password for console access or access keys for programmatic access. These credentials allow them to interact with AWS in their daily work. For example, a developer might have an IAM user account that lets them log in and manage test servers. On the exam, remember that IAM users are designed for people who need ongoing access, not for applications or workloads.
IAM groups simplify management by acting as containers for users. Instead of assigning policies individually, administrators attach them to groups, and all members inherit the same permissions. For example, a “Developers” group might grant access to testing environments, while a “Finance” group grants access to billing data. This reduces errors and ensures consistency. On the exam, remember that groups are for organizing users and policies, not for logging in—only users can sign in.
Best practice is to attach policies to groups, not individual users. This makes permissions easier to manage as teams grow and change. If a new employee joins the development team, adding them to the Developers group automatically grants the right permissions. If they move to another department, removing them from one group and adding them to another changes their access without modifying individual policies. On the exam, know that group-based management is always preferred.
Password policy standards are another part of IAM basics. AWS allows administrators to enforce account-wide password rules, such as requiring minimum length, complexity, or periodic rotation. This ensures user accounts are not secured by weak or reused passwords. For example, an organization might enforce twelve-character passwords with upper- and lowercase letters, numbers, and symbols. On the exam, remember that password policies enforce strong authentication for IAM users.
Multi-Factor Authentication, or MFA, should be enabled for all users handling sensitive actions. MFA requires a second verification factor beyond the password, making accounts much harder to compromise. For example, even if a password is stolen, an attacker cannot log in without the MFA code. For exam purposes, remember that MFA is one of the simplest and most effective security measures AWS recommends.
Access keys allow IAM users to access AWS programmatically, such as through the command line or SDKs. However, they represent a risk if not managed carefully. Best practices include creating them sparingly, rotating them regularly, and disabling or deleting them if no longer needed. On the exam, know that access keys should be used only when required and should never be hardcoded into applications or scripts.
IAM supports two types of policies: managed and inline. Managed policies are reusable documents that can be attached to multiple identities. AWS provides many prebuilt managed policies, such as “AmazonS3ReadOnlyAccess.” Inline policies, by contrast, are embedded directly into a single user or group and cannot be reused. On the exam, remember the difference: managed policies are scalable, while inline policies are one-off.
Policies in IAM are written in JSON format, with key elements like Effect, Action, Resource, and Condition. Effect specifies whether access is allowed or denied. Action defines what API operations are permitted. Resource specifies which AWS resources the policy applies to, and Condition adds contextual restrictions, such as time of day or IP address. For exam purposes, you don’t need to memorize syntax, but you should recognize these four building blocks of a policy.
The principle of least privilege applies to every policy. This means granting only the permissions needed to do the job and no more. For example, a policy might allow a developer to “GetObject” from one specific S3 bucket but not to delete or modify data. On the exam, expect questions where the safest answer is the one that follows least privilege.
IAM provides a credential report that administrators can generate to review user access across the account. The report shows details such as password usage, MFA status, and access key activity. This makes it easier to identify risks like unused accounts or missing MFA. On the exam, remember that credential reports are used to audit IAM users and their authentication settings.
Enforcing strong authentication at the account level is another IAM feature. Administrators can configure settings that apply to all IAM users, ensuring consistent security across the organization. This includes requiring MFA, setting password complexity, and monitoring activity. On the exam, know that account-wide settings provide centralized control.
Tags can also be applied to IAM users and groups. Tags are metadata in key-value format, such as “Department: HR” or “Project: Alpha.” They can be used for attribute-based access control, reporting, and cost allocation. For example, tags can restrict access so that users only see resources tagged with their project. On the exam, remember that tags enhance IAM governance and support ABAC.
Finally, AWS recommends never embedding secrets like passwords or access keys directly into code or scripts. Secrets should be stored securely in services such as AWS Secrets Manager or Systems Manager Parameter Store. Hardcoding credentials is a common mistake that creates vulnerabilities. For the exam, know that secrets should never be stored in code, and IAM roles are the safer alternative for applications.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
In AWS, the recommended approach is to prefer IAM roles over users for applications and workloads. Roles provide temporary, automatically rotated credentials through AWS STS, eliminating the risks that come with static access keys. For example, an EC2 instance can assume a role to access S3 without ever storing long-lived keys on the server. For the exam, remember that roles are always safer for workloads, while IAM users are intended for individual people.
Service-linked roles are a special type of IAM role created and managed by AWS itself. Certain services, such as Amazon RDS or GuardDuty, require permissions to perform actions on your behalf. Instead of you creating these roles manually, AWS creates service-linked roles with predefined permissions. They simplify administration and ensure services have the precise access needed. For the exam, know that service-linked roles are automatically managed and tied to specific AWS services.
Cross-account access is another powerful feature of IAM roles. Rather than creating duplicate users in multiple accounts, administrators can allow users from one account to assume a role in another. For example, a security team in a central account could assume roles in application accounts to perform audits. This reduces duplication and improves security. On the exam, remember that cross-account access relies on IAM roles and trust policies, not separate user accounts.
Identity federation is a way to avoid creating large numbers of IAM users at scale. Instead, employees log in with their existing corporate credentials through systems like Active Directory or third-party identity providers. Federation reduces the need to manage user accounts inside AWS and allows organizations to enforce consistent policies across all systems. On the exam, remember that federation avoids IAM sprawl and leverages existing identity systems.
A best practice in IAM is to align group membership with job responsibilities. The principle of “one job = one set of group memberships” ensures clarity and reduces confusion. For example, a user might belong to a “Developers” group or a “Finance” group, but not both at the same time. This avoids permission overlap and makes it easier to enforce least privilege. For the exam, know that clear group membership prevents unnecessary permissions.
Detecting orphaned credentials and inactive users is critical for security. Orphaned credentials are access keys or accounts that remain active but no longer belong to an active employee or system. AWS tools like credential reports and Access Advisor can highlight unused accounts or keys. Removing them promptly reduces the attack surface. For the exam, expect questions about reviewing and disabling unused credentials to maintain a secure environment.
Guardrails can be applied with Service Control Policies and permissions boundaries. SCPs enforce organization-wide restrictions, while permissions boundaries cap the maximum permissions for individual roles or users. Together, they prevent over-permissioning and enforce consistent governance. For example, even if a user is accidentally assigned a broad policy, the permissions boundary prevents dangerous actions. On the exam, know that guardrails are part of maintaining least privilege in IAM.
It’s also important to separate human identities from machine identities. People should use IAM users or federated logins, while machines and applications should use IAM roles. Mixing these approaches creates risk and confusion. For example, embedding human credentials in an application is both insecure and unnecessary. For exam preparation, remember that roles are for machines, while users are for humans.
Audit trails are essential for validating IAM practices. CloudTrail logs every IAM action, such as who created or deleted users, while Access Analyzer reviews policies to detect overly broad permissions. Together, they provide visibility into IAM activity and help refine policies. On the exam, know that CloudTrail and Access Analyzer are the tools for auditing and improving IAM governance.
Offboarding is a critical moment in IAM. When an employee leaves, their IAM user should be deprovisioned immediately. This includes disabling access keys, removing them from groups, and deleting their account. Delays in offboarding create unnecessary risks. For the exam, remember that immediate key revocation and deprovisioning are best practices during offboarding.
Aligning IAM with HR lifecycle events improves security and efficiency. When a person joins the company, they are provisioned into the correct groups. When they change roles, their group memberships are updated. When they leave, their access is revoked. This integration ensures that IAM reflects the reality of employee responsibilities. On the exam, know that IAM should follow the employee lifecycle to avoid excess permissions.
From the exam’s perspective, clarity between users, groups, and roles is critical. Users are long-term identities for people. Groups organize users and policies. Roles provide temporary access, often for machines, cross-account scenarios, or federation. Understanding these distinctions will help you answer exam questions correctly and explain AWS access models in the workplace.
Finally, documentation is a key part of IAM. Organizations should maintain standard operating procedures for creating, updating, and deprovisioning identities. Clear patterns ensure consistency and prevent mistakes. For example, a documented process might require all new employees to be placed into predefined groups with MFA enabled. For the exam, remember that well-documented IAM processes reduce risk and support compliance.
As we close this episode, remember that simple, group-centric IAM practices minimize both risk and administrative overhead. Create users only when needed, manage permissions through groups, enforce strong authentication, and prefer roles for workloads. By following these patterns, organizations ensure IAM remains secure, scalable, and aligned with least privilege. For the exam, focus on the differences between users, groups, and roles, and on best practices for securing human access to AWS.
________________________________________
