This article describes the basics of IAM to give you a rough idea of how IAM works.

What is IAM?

AWS Identity and Access Management (IAM) is
a mechanism for authentication and authorization to securely conduct AWS operations.
IAM is a system of authentication and authorization for secure AWS operations.

Two main considerations are

  • Security Risks
    • Prevent operation from unauthorized, external users
    • Restrict users who can access certain AWS services
  • Operational Risks
    • Prevent misoperation
    • Restrict operations


IAM users must be granted privileges (IAM policies) to access and operate AWS services such as S3. Procedure.

In other words, IAM users cannot access S3, etc. without granting permissions (IAM policies).

The IAM mechanism can restrict the AWS services that IAM users can access.


Main elements to make IAM a reality

  • IAM user
    • A user who has access to AWS services.
  • IAM Group
    • A kind of folder to organize IAM users.
    • Multiple IAM users can belong to one IAM group. (What are the steps?)
    • Permissions can be set to IAM groups to allow the same permissions to multiple IAM users in a single operation.
  • What is an IAM Policy?
    • What is the setup procedure?
      • Describe and name from the MC
    • Format.
      • JSON format
    • Describe what?
      • AWS resource (described by ARN)
      • Allow or deny operation
      • From which networks to grant access
    • Who does the policy apply to?
      • IAM Users, IAM Groups, IAM Roles
  • IAM Roles
    • When to use it?
      • AWS Service-to-Service Integration
      • When migrating data from EC2 to S3
    • How to create?
    • What is the reality? (How does it look on the MC (during operation)?
    • What are the setup and creation procedures?


What to do for authorization (authentication) (procedure)

  1. Design which AWS services and what kind of access rights (authentication) are given to AWS users (IAM users).
  2. Authentication method is determined by AWS service
  3. Set (describe) access policy
  4. Assign (apply) access policies to individuals and groups (authorization settings)


IAM Features

  1. Retain the OS settings and other settings of an EC2 instance as an image and use it to configure a new instance.
  2. Information from AMI is copied to EBS during instance creation
  3. AMI can be copied to another region


IAM Group

An IAM group is like a box that organizes multiple IAM users.

The reason why multiple IAM users are combined into one IAM group is to set the same IAM policy for multiple IAM users.

By granting an IAM policy to an IAM group, the same IAM policy can be set for all of the multiple IAM users in the IAM group at once.

IAM Policy

Set in JSON format

Effect Allow" → Allow

Deny" → reject

Action Target AWS service e.g. "s3:Get".
Resource Described in the target AWS resource ARN
Condition Conditions under which access control is enabled


What is an IAM role?

Grant (assign) access privileges to AWS services such as EC2 and S3 as roles

As an example, IAM roles are used when EC2 accesses S3.



Specific usage settings (use cases)

IAM Authentication Methods

IAM user authentication methods differ depending on the AWS service used.


Authentication method Details
access key ID

secret access key

EC2 instance connection and other REST/Query formats

Used for authentication when using AWS CLI and APIs

X.509 Certificate Authentication method for SOAP-style API requests
Login password to AWS Management Console Set a password for each AWS account to log in.
MFA (multi-factor authentication) Pin code authentication using physical devices, etc.