← All posts
3 min read

IAM from Zero: identity before infrastructure

#aws#iam#security#cli
📑 On this page

Part 4 of AWS from Zero. IAM is where AWS beginners should slow down.

IAM means Identity and Access Management. It answers four questions:

  • Who are you?
  • What are you allowed to do?
  • Which resources can you touch?
  • Under what conditions?

Every AWS CLI command is evaluated through IAM. Even a simple command like this:

aws s3 ls

is really asking, "Does this identity have permission to list buckets?"

Users, groups, roles, and policies

The beginner model:

  • User: a long-lived identity, often for a human or legacy automation.
  • Group: a collection of users.
  • Role: an identity that can be assumed temporarily.
  • Policy: JSON permissions attached to users, groups, or roles.

Modern AWS usage prefers roles and temporary credentials where possible. But understanding users still helps because many beginner setups start there.

Inspect your current identity

Run:

aws sts get-caller-identity

If the Arn includes user/, you are using an IAM user:

arn:aws:iam::123456789012:user/dhayal

If it includes assumed-role/, you are using temporary role credentials:

arn:aws:sts::123456789012:assumed-role/Admin/session-name

That difference matters because permissions may come from different places.

List IAM users

If your identity has permission:

aws iam list-users \
  --query "Users[].{UserName:UserName,Created:CreateDate}" \
  --output table

If you get AccessDenied, that is not failure. That is IAM doing its job.

Read a policy shape

IAM policies are JSON. Here is a tiny read-only example:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:ListAllMyBuckets"],
      "Resource": "*"
    }
  ]
}

The shape is always about:

  • Effect: allow or deny
  • Action: what API calls
  • Resource: which resources
  • Condition: optional extra rules

Least privilege

Least privilege means the identity gets only the permissions needed for the task.

For learning, it is tempting to use AdministratorAccess forever. That is convenient, but it hides how AWS security really works.

A better learning path:

  1. Use admin access only to bootstrap.
  2. Create smaller policies for lessons.
  3. Notice exactly which API action a command needs.
  4. Remove credentials you no longer use.

Safety checkpoint

Before continuing the series, run:

aws sts get-caller-identity
aws configure list

Know your account, region, and profile before creating anything.

In part 5, we set up cost and cleanup habits before touching services that can create billable resources.