Skip to content

Key Points#

AWS IAM is the central point from which you control access to your AWS accounts, resources, and more. It's critical to have a decent understanding of IAM's most fundamental concepts otherwise you will struggle to operate inside of an AWS environment. Everything is permitted by IAM, so everything you do (at some point) involves IAM.

Here are the key points to take away from this section:


An IAM Principal is a human or a computer that can make requests to AWS (via the console or API) and attempt to perform actions against resources inside of an account. IAM Users are principals.


An IAM User represents a person or a computer/application inside of your AWS account (or accounts) that acts as a principal, and can therefore make requests for resources and more.


IAM Groups are how we identify a collection of users under a particular name. You can include IAM Users inside of groups and then you can attach policies to that group, giving everyone in the group the permissions defined inside of the group (whether they're Allow or Deny)


An IAM Policy is how we define a set of permissions, either to permit or deny something, inside of an account (or across accounts). Policies are written in a JSON based syntax and are then attached to Groups or Roles


IAM Roles are "assumed" by humans, AWS services, and more, and are used to temporarily assign permissions to the Principal that assumed the role. When a role is assumed, the Principal's previous permissions are dropped and the role's permissions take precedence.

Programmatic Access

Humans use the AWS web console to interact with AWS, but applications need something that they can communicate with in a way that's workable. APIs allow this, and AWS IAM permits us to allow "programmatic access" to an IAM User by creating access keys. With these keys, we can authenticate our access to the API.

Now use this understanding to complete the self-assessment.