- AWS Identity and Access Management (IAM)
- is the service that controls who can access what in your AWS account.
- It’s the foundation of AWS security.
Core Concepts
1. IAM Users
- What: Individual identities (people or applications) that can access AWS resources
- Use case: Long-term access for specific people or services
- Example:
alan-adminuser for your personal AWS access
2. IAM Groups
- What: Collections of IAM users
- Use case: Apply permissions to multiple users at once
- Example: “Developers” group with S3 read/write access
3. IAM Roles
- What: Temporary credentials that can be assumed by users, services, or applications
- Use case: Grant permissions without sharing long-term credentials
- Key difference: Roles are assumed temporarily; users have permanent credentials
- Example: EC2 instance role, Lambda execution role, cross-account access
4. IAM Policies
- What: Documents that define permissions (what actions are allowed/denied on which resources)
- Two types:
- Identity-based policies: Attached to users, groups, or roles
- Resource-based policies: Attached to resources (e.g., S3 bucket policies)
5. Policy Structure
IAM policies are JSON documents with this structure:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow", // or "Deny"
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*"
}
]
}6. Access Keys
- What: Long-term credentials (Access Key ID + Secret Access Key) for programmatic access
- Use case: AWS CLI, SDKs, API calls
- Security: Store securely, rotate regularly, never commit to code
7. Root Account
- What: The email/password used to create your AWS account
- Best practice: Never use for daily operations; enable MFA; use only for account management
Key Principles
1. Least Privilege
- Grant only the minimum permissions needed
- Start restrictive, add permissions as needed
2. Separation of Duties
- Different users/roles for different tasks
- Example: Developer role vs. Admin role
3. Shared Responsibility
- AWS manages IAM infrastructure
- You manage who has access and what permissions
Common IAM Patterns
Pattern 1: User with Access Keys (CLI/SDK)
- Create IAM user
- Generate access keys
- Configure AWS CLI/SDK
- Use case: Local development, CI/CD pipelines
Pattern 2: IAM Role for EC2/ECS/Lambda
- Create IAM role with permissions
- Attach role to service
- Service automatically gets temporary credentials
- Use case: Applications running on AWS infrastructure
Pattern 3: Cross-Account Access
- Create role in Account B
- Allow Account A to assume the role
- Use case: Centralized management, shared resources
Pattern 4: Role Assumption
- User assumes a role temporarily
- Gets temporary credentials (STS)
- Use case: Elevated permissions for specific tasks
AWS Managed Policies vs. Custom Policies
AWS Managed Policies
- Pre-built by AWS
- Examples:
AmazonS3FullAccess,AmazonEC2ContainerRegistryPowerUser - Pros: Quick setup, well-tested
- Cons: Often too permissive (not least privilege)
Custom Policies
- You create them
- Pros: Precise permissions, follows least privilege
- Cons: More work, need to maintain
Security Best Practices
- ✅ Enable MFA for root account and privileged users
- ✅ Use IAM roles instead of access keys when possible (for AWS services)
- ✅ Rotate access keys regularly (every 90 days)
- ✅ Use least privilege - grant minimum necessary permissions
- ✅ Monitor with CloudTrail - track who did what
- ✅ Delete unused credentials - remove old access keys
- ✅ Use groups - manage permissions at group level, not individual users
- ✅ Review permissions regularly - use IAM Access Analyzer
Practical Guide: Setting Up IAM for AWS CLI
Step 1: Create IAM User and Access Key
Create Access Key for IAM User (e.g., alan-admin)
-
Navigate to IAM Console:
- Go to: IAM → Users → alan-admin → Security credentials → Create access key
-
Save the access keys securely:
- Access Key ID: Save this immediately
- Secret Access Key: Save this immediately (you won’t be able to view it again)
Step 2: Configure IAM Permissions for ECR
Attach ECR Permissions to IAM User
For push/pull Docker images, attach an AWS managed policy:
- Recommended:
AmazonEC2ContainerRegistryPowerUser(most commonly used) - Advanced: Create custom policy for specific repository access (for later)
Step 3: Configure AWS CLI
Default Profile Configuration
Configure AWS CLI with your region (e.g., us-west-1):
aws configureWhen prompted, enter:
- AWS Access Key ID: Your newly created Access Key ID
- AWS Secret Access Key: Your newly created Secret Access Key
- Default region name:
us-west-1 - Default output format:
json
Named Profile Configuration
To use a named profile (e.g., alan):
aws configure --profile alanEnter the same information:
- AWS Access Key ID: Your alan AccessKey
- AWS Secret Access Key: Your alan SecretKey
- Default region name:
us-west-1 - Default output format:
json
List Configured Profiles
aws configure list-profilesManual Credentials File Editing
You can also manually edit the credentials file:
nano ~/.aws/credentialsStep 4: Verify Configuration
Verify Identity
Check that your AWS identity is correctly configured:
aws sts get-caller-identityThis should return your IAM user details.
Step 5: ECR Login
Docker Login to ECR
After configuring AWS CLI, authenticate Docker with ECR:
aws ecr get-login-password --region us-west-1 | docker login --username AWS --password-stdin <your-ecr-registry-url>Or for a specific registry:
aws ecr get-login-password --region us-west-1 | docker login --username AWS --password-stdin <account-id>.dkr.ecr.us-west-1.amazonaws.comSummary Checklist
- ✅ Understand IAM core concepts (Users, Groups, Roles, Policies)
- ✅ Know the difference between identity-based and resource-based policies
- ✅ Understand when to use roles vs. users
- ✅ Create IAM user access key
- ✅ Save access keys securely
- ✅ Attach ECR permissions to IAM user
- ✅ Configure AWS CLI (default or named profile)
- ✅ Verify identity
- ✅ Login to ECR with Docker
- ✅ Follow security best practices