Ever wondered how tech companies ensure their interns can't accidentally shut down or DELETE 😁 production servers? The answer lies in AWS IAM—and today, you'll master it.

🚨 The Problem Every Developer Faces

Picture this: You're scaling your application for the holiday season rush. Traffic is about to spike 10x, and you need additional EC2 instances running. But here's the catch—you're also onboarding a new team member who needs access to test environments without touching production.

One wrong click, and your live application could go whoosh😢.

Sound familiar? Welcome to the world of cloud security, where AWS Identity and Access Management (IAM) becomes your best friend.

🎯 What You'll Build Today

By the end of this tutorial, you'll have:

⏩ Two EC2 instances - one for production, one for development.

⏩ A bulletproof IAM policy that restricts access based on environment tags.

⏩ A dedicated IAM user with limited permissions.

⏩ Hands-on testing to verify everything works as expected.

🚀 Step 1: Launch Your EC2 Instances

First, let's create the infrastructure we'll be securing. We'll launch two instances with different environment tags.

Creating the Production Instance

1. Navigate to EC2 Console

   • Open your AWS Management Console.
   • Search for "EC2" in the services search bar.
   • Switch to your preferred region.

2. Launch Your First Instance

   • Click "Launch instance."
   • Configure the following:

   Name: web-server-prod

1. Add Environment Tags

   • Click "Add additional tags"
   • Create a new tag:
     • Key: Env
     • Value: production

2. Configure Basic Settings

   • Choose a Free tier eligible AMI (Amazon Machine Image) i.e. Amazon Linux.
   • Select a Free tier eligible instance type.
   • For Key pair: Select "Proceed without a key pair".

3. Launch the Instance

Creating the Development Instance

Repeat the same process, but this time with these modifications:

Name: web-server-dev
Tag Key: Env
Tag Value: development

🎉 Checkpoint: You now have two instances with different environment tags!

🛡️ Step 2: Create a Bulletproof IAM Policy

Now comes the magic—creating a policy that allows access to development resources while blocking production access.

Understanding the Policy Structure

Navigate to IAM → Policies → Create policy, then switch to JSON editor and paste this policy:

{    
  "Version": "2012-10-17",    
  "Statement": [        
    {            
      "Effect": "Allow",            
      "Action": "ec2:*",            
      "Resource": "*",            
      "Condition": {                
        "StringEquals": {                    
          "ec2:ResourceTag/Env": "development"                
        }            
      }        
    },        
    {            
      "Effect": "Allow",            
      "Action": "ec2:Describe*",            
      "Resource": "*"        
    },        
    {            
      "Effect": "Deny",            
      "Action": [                
        "ec2:DeleteTags",                
        "ec2:CreateTags"            
      ],            
      "Resource": "*"        
    }    
  ] 
}

🔍 Policy Breakdown

Statement 1: Allows all EC2 actions, but only on resources tagged with Env: development .

Statement 2: Allows describing all EC2 resources (needed for console navigation) .
Statement 3: Denies tag modification to prevent privilege escalation .

Policy Details:

• Name: DevEnvironmentPolicy
• Description: IAM Policy for development environment access

👥 Step 3: Set Up User Groups and Users

Create the User Group

1. Navigate to IAM → User groups → Create group
2. Configure Group:
   • Name: dev-team-group
   • Attach policies: Select DevEnvironmentPolicy

Create the IAM User

1. Navigate to IAM → Users → Create user
2. User Configuration:

   Username: dev-team-member
   ☑️ Provide user access to AWS Management Console
   ☐ Users must create new password at next sign-in

1. Add to Group: Select dev-team-group

💡 Pro Tip: In production, always require password changes on first login!

🔧 Step 4: Create an Account Alias

Make login easier for your team by creating a friendly account alias.

1. Navigate to IAM → Dashboard
2. Create Account Alias:

   Alias: your-company-aws-dev

This changes your sign-in URL from:

https://123456789.signin.aws.amazon.com/console/

To:

https://your-company-aws-dev.signin.aws.amazon.com/console/

🧪 Step 5: Test Your Security Configuration

Time to verify everything works as expected!

Testing as the IAM User

1. Open an incognito window
2. Navigate to your custom sign-in URL
3. Log in with your IAM user credentials

Security Test 1: Try to Stop Production Instance

1. Navigate to EC2 → Instances
2. Select your production instance
3. Actions → Instance state → Stop

Expected Result: ❌ Access denied error

Security Test 2: Try to Stop Development Instance

1. Select your development instance
2. Actions → Instance state → Stop

Expected Result: ✅ Instance stops successfully

🎯 Advanced: Using IAM Policy Simulator

For faster permission testing, use the IAM Policy Simulator:

1. Navigate to IAM → Policy Simulator
2. Select your user: dev-team-member
3. Test actions: Try ec2:StopInstances on both instances
4. View results: See permissions without actually performing actions

🧹 Step 6: Clean Up Resources

Always clean up to avoid charges:

Delete EC2 Instances

1. Terminate both production and development instances

Delete IAM Resources

1. Remove user from group
2. Delete the IAM user
3. Delete the user group
4. Delete the custom policy
5. Remove account alias

🎉 What You've Accomplished

You've just built a production-ready security system that:

🔒 Restricts access based on environment tags

🏷️ Uses resource tagging for granular control

👥 Implements group-based permissions for scalability

🧪 Includes testing strategies for verification

🚀 Next Steps

Ready to level up your AWS security game?

🔍 Explore cross-account access with IAM roles

📊 Implement CloudTrail for audit logging

🛡️ Set up MFA for additional security layers

🎯 Learn about service-linked roles for AWS services

💡 Key Takeaways

AWS IAM isn't just about restricting access—it's about enabling teams to work efficiently while maintaining security. The combination of resource tags, conditional policies, and user groups creates a powerful, scalable security model.

Remember: Security is not a feature you add later—it's a foundation you build upon.

📚 Concluding Part 5 ✅ This Blog post marks the end of Series AWS Beginners Learning Journey !

🙏 Acknowledgments

This learning journey was powered & supported by NextWork's structured approach to cloud education, which made breaking down complex concepts into digestable-byte-sized-hands-on practice accessible through systematic skill building & clear-actionable steps.

This blog is based on - NextWork's ⏩ Cloud Security with AWS IAM!

• Give it a try : https://learn.nextwork.org/projects/aws-security-iam

📖 Additional Resources

• NextWork Community Post:
  AWS QuickSight Analytics

• My Documentation:
  Complete Cloud Security with AWS IAM Documentation

✨ Let’s build epic cloud projects together & transform our CLoud Computing Skills!

• Found this tutorial helpful? Drop a comment below and share your IAM security wins! 🚀

Connect with me:- https://www.linkedin.com/in/suvrajeet
E-mail for improvements:- banerjee@suvrajeet.me

See you in the cloud! ☁️