25
Oct

AWS IAM: A Practical Guide to Users, Roles, and Modern Best Practices

Think of your AWS account as a secure corporate headquarters. The root user—the identity created when you first open the account—holds the master key that opens every single door. You would never hand out that master key to employees for their daily work. Instead, you issue individual keycards, each programmed to open only the specific doors an employee needs to do their job.

This is the core principle behind AWS Identity and Access Management (IAM). It’s a fundamental AWS service that allows you to securely control who (or what) can access your cloud resources.

However, the way we manage those “keycards” has evolved. In a modern AWS environment, we must distinguish between access for humans and access for machines. This guide will walk you through IAM Users, which are essential for applications, and explain why AWS IAM Identity Center is now the gold standard for managing human access.

IAM Concepts: The Building Blocks of AWS Security

To manage access effectively, you need to understand these core components.

What Defines an IAM User?

An IAM User is a long-term identity within your AWS account that represents a person or, more commonly today, an application. Each user has a unique name and is identified globally by an Amazon Resource Name (ARN), such as arn:aws:iam::123456789012:user/ApplicationDeployer. By default, a new IAM user has no permissions to do anything.

User Credentials Explained

IAM users can have different types of credentials for different use cases:

  • Access Keys: A pair consisting of an Access Key ID and a Secret Access Key. These are used for programmatic access via the AWS Command Line Interface (CLI), Software Development Kits (SDKs), or direct API calls. This is the primary credential type for applications.
  • Console Password: A password that allows a human to sign in to the AWS Management Console. With the rise of IAM Identity Center, creating users with console passwords has become far less common.
  • Multi-Factor Authentication (MFA): An extra layer of security that requires a time-sensitive code from a virtual or physical device. It should be enforced wherever possible.

How IAM Users Get Permissions

Permissions in AWS are defined in JSON documents called IAM policies. A policy explicitly lists what actions are Allow-ed or Deny-ed on specific AWS resources. To grant permissions, you attach these policies to an IAM user.

For better management, instead of attaching policies to individual users, you can create an IAM Group, attach policies to the group, and then add users to it. Any user in the group automatically inherits its permissions.

IAM Users vs. IAM Roles: The Modern Distinction

This is a critical concept:

  • An IAM User has permanent, long-term credentials (like an access key) that must be managed and rotated.
  • An IAM Role is an identity that provides temporary, short-term credentials. It is designed to be “assumed” by a trusted entity (like an EC2 instance, a Lambda function, or a federated human user).

Best Practice: For workloads running inside AWS (e.g., an application on an EC2 instance), always use an IAM Role. AWS automatically manages and rotates the temporary credentials, which is far more secure than storing a permanent IAM user access key on the instance.

Step-by-Step Guide: Creating an IAM User for Programmatic Access

While human access should be managed via IAM Identity Center, you will still need IAM users for applications running outside of AWS or for service accounts (e.g., a CI/CD pipeline).

Here’s how to create one safely:

  1. Log in to the AWS Management Console with an administrative account.
  2. Navigate to the IAM service.
  3. In the left navigation pane, click on Users, then click the Create user
  4. Set User Details: Enter a descriptive User name (e.g., github-actions-deployer). Click Next.
  5. Set Permissions: Choose Attach policies directly. Search for and select a policy that grants the minimum required permissions (Principle of Least Privilege). For example, a custom policy that only allows deploying to a specific S3 bucket. Click Next.
  6. Review and Create: Verify the user name and permissions are correct, then click Create user.
  7. After creation, navigate to the user, select the Security credentials tab, and click Create access key.
  8. Choose Third-party service as the use case, acknowledge the recommendation, and click Next.
  9. Securely Save Credentials: This is the only time you can view or download the secret access key. Copy both the Access Key ID and the Secret Access Key and store them securely in a secret manager or as an encrypted variable in your CI/CD system.

Best Practices for Modern IAM Management

A strong security posture comes from disciplined management.

Theme 1: Foundational Security

  • Lock Down the Root User: Your root user should only be used for a few specific tasks, like initial account setup or closing the account. Enable MFA on it and never use it for daily work.
  • Enforce MFA Everywhere: Require Multi-Factor Authentication for all human users and any privileged IAM users. This is your single most effective defense against credential compromise.
  • Embrace Least Privilege: Always grant the absolute minimum permissions necessary for a user or role to perform its function. Start with nothing and add permissions as needed.

Theme 2: Scalable Permission Management

  • Use IAM Identity Center for Humans: For human access, use AWS IAM Identity Center (or federation with an existing provider like Okta or Entra ID). This provides users with temporary credentials via a user-friendly portal, centralizes access management, and eliminates the need to manage thousands of static IAM users.
  • Use Groups for Scalability: For your programmatic IAM users, group them by function (e.g., CICD-Users, Monitoring-Tools) and apply policies to the group.
  • Limit Who Can Manage IAM: Not every administrator needs the ability to create users or change policies. Restrict these powerful permissions to a small, trusted set of security administrators.

Theme 3: Credential Hygiene and Auditing

  • Rotate Access Keys: For the programmatic IAM users you do have, rotate their access keys regularly (e.g., every 90 days).
  • Enable AWS CloudTrail: CloudTrail logs all API activity in your account. This is essential for auditing who did what and when, and for detecting suspicious behavior.
  • Manage the User Lifecycle: Have a clear process for onboarding and offboarding. When an application is decommissioned or a third-party service is no longer used, immediately deactivate and delete the associated IAM user and its credentials.

Conclusion: Security as a Mark of Maturity

A well-structured IAM setup is not just a security measure—it’s a mark of operational maturity. By clearly separating human and machine access, prioritising temporary credentials through IAM Identity Center and IAM Roles, and diligently managing the lifecycle of the few IAM users you create, you build a resilient and secure foundation. This discipline will safeguard your environment and provide the control and agility your organisation needs to thrive in the cloud.

share

Upgrade Your EKS Cluster from 1.32 to 1.33: A Guide to Benefiting from the Newest Features Without Disrupting Your Applications

Upgrade Your EKS Cluster from 1.32 to 1.33: A Guide to Benefiting from the Newest Features Without Disrupting Your Applications

previous-blog-arrowPrevious
Scaling in the Cloud: Choosing Between Vertical and Horizontal Growth Strategies

Scaling in the Cloud: Choosing Between Vertical and Horizontal Growth Strategies

next-blog-arrowNext