IAM from Zero: identity before infrastructure
📑 On this page
Part 4 of AWS from Zero. IAM is where AWS beginners should slow down.
IAM means Identity and Access Management. It answers four questions:
- Who are you?
- What are you allowed to do?
- Which resources can you touch?
- Under what conditions?
Every AWS CLI command is evaluated through IAM. Even a simple command like this:
aws s3 lsis really asking, "Does this identity have permission to list buckets?"
Users, groups, roles, and policies
The beginner model:
- User: a long-lived identity, often for a human or legacy automation.
- Group: a collection of users.
- Role: an identity that can be assumed temporarily.
- Policy: JSON permissions attached to users, groups, or roles.
Modern AWS usage prefers roles and temporary credentials where possible. But understanding users still helps because many beginner setups start there.
Inspect your current identity
Run:
aws sts get-caller-identityIf the Arn includes user/, you are using an IAM user:
arn:aws:iam::123456789012:user/dhayalIf it includes assumed-role/, you are using temporary role credentials:
arn:aws:sts::123456789012:assumed-role/Admin/session-nameThat difference matters because permissions may come from different places.
List IAM users
If your identity has permission:
aws iam list-users \
--query "Users[].{UserName:UserName,Created:CreateDate}" \
--output tableIf you get AccessDenied, that is not failure. That is IAM doing its job.
Read a policy shape
IAM policies are JSON. Here is a tiny read-only example:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:ListAllMyBuckets"],
"Resource": "*"
}
]
}The shape is always about:
Effect: allow or denyAction: what API callsResource: which resourcesCondition: optional extra rules
Least privilege
Least privilege means the identity gets only the permissions needed for the task.
For learning, it is tempting to use AdministratorAccess forever. That is convenient, but it hides how AWS security really works.
A better learning path:
- Use admin access only to bootstrap.
- Create smaller policies for lessons.
- Notice exactly which API action a command needs.
- Remove credentials you no longer use.
Safety checkpoint
Before continuing the series, run:
aws sts get-caller-identity
aws configure listKnow your account, region, and profile before creating anything.
In part 5, we set up cost and cleanup habits before touching services that can create billable resources.