🔑Mastering AWS IAM: The Beginner-Friendly Way
#webdev#aws#awschallenge#devops
AKASH S

AKASH S @akashabish

About: An Aspiring ML graduate with intermediate knowledge in AWS Cloud deployment and Devops Learner who Bloging and Documentation of works that can useful for young beginners in those particular domains.

Location:
Kanniyakumari, Tamilnadu
Joined:
Apr 25, 2025

🔑Mastering AWS IAM: The Beginner-Friendly Way

Publish Date: Jul 18
1 0

What is IAM?

IAM (Identity and Access Management) is the heart of AWS security. It decides:

  • Who can access our AWS account
  • What they can do (read, write, delete, launch etc.)
  • Which services/resources they can interact with

IAM helps us securely control access without sharing our Root account (super admin--my free tier root user acc).

IAM Users:

  • A User = one person with credentials (username + password or access key).
  • Created by the Root user (owner of AWS account).
  • We give only the permissions they need, nothing more!

Real-world Example:

I’m the root user of my AWS Free Tier. I want my friend Sanjay to learn AWS but not touch everything.So I create an IAM user called sanjay, and give him access only to:

  • EC2
  • S3
  • VPC

He now has his own login , and I can use my root user in my own.

IAM Groups:

  • A Group = collection of users with common permissions.
  • Instead of assigning policies to each user manually, just assign it to the group.

Real-world Example:
I have two teams:

  • ML Dev Team – needs SageMaker, Fargate
  • Fullstack Team – needs Amplify, Lambda

So I create 2 groups:

  • ML-Team: attach ML-related policies
  • FullStack-Team: attach web-related policies

Then I add users to the respective groups.

Giving Admin Powers (Team Leads)

Sometimes a user in the group needs more power than others (like a Team Lead).

We can do this in 2 ways:

  • Attach an additional policy to that user
  • Use an Inline Policy (explained below)

IAM Roles

  • A Role = permission container used by services, not users.
  • Helps one AWS service talk to another securely.

Real-world Example

  • I have an EC2 instance that needs to read data from an S3 bucket.
  • I create a Role with AmazonS3ReadOnlyAccess,
  • Then attach the role to the EC2 instance.

Now the EC2 can access S3 without any access keys. Fully secure..!

Inline Policy

  • A custom policy attached directly to a user or group.
  • Used for special, one-time permissions.
  • Gets deleted if the user is deleted.

Real-world Example

  • Sanjay needs temporary access to DynamoDB.
  • Instead of creating a new group, I create an inline policy just for him.

Resource Policy

  • Like Bucket Policy in S3
  • Used to control access directly from the resource itself.
  • Example: give access to specific users/folders inside an S3 bucket.

Real-world Example

One S3 bucket, two folders: ml/ and nlp/

  • User 1 needs access to ml/
  • User 2 needs access to nlp/

We will write a bucket policy like this:

{
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::111122223333:user/user1" },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/ml/*"
    },
    {
      "Effect": "Allow",
      "Principal": { "AWS": "arn:aws:iam::111122223333:user/user2" },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::my-bucket/nlp/*"
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

We can add multiple users or groups in "Principal"!

Final Words

This blog is my personal IAM notes, written after I struggled to understand it and finally cracked it with real-world examples.

Hope it helps fellow beginners and AWS learners .

Happy Learning, Happy Securing ..!

Comments 0 total

    Add comment