devops

Deep dive into the IAM concepts and understand it with practicle hands-on.

Published: (February 21, 2026 at 08:54 AM EST)
3 min read
Source: Dev.to

Source: Dev.to

Introduction

In recent interviews I encountered many IAM‑related questions, including scenario‑based ones such as:

“An IAM user has FullAdmin access to the AWS account, yet they cannot access S3 buckets. What could be the reason?”

Below is a concise overview of IAM concepts with practical hands‑on notes.

IAM User

  • Represents a person, service, or application that needs access to AWS.
  • To grant access, attach IAM policies directly to the user or to a group the user belongs to.

IAM Groups

  • A collection of users that share common permissions and roles.
  • Policies attached to a group are inherited by all its members.

IAM Roles

  • Provide temporary access to users, applications, or AWS services.
  • Enhance security by limiting the duration and scope of permissions.
  • Permissions for a role are defined by attaching IAM policies to the role.

Principle of Least Privilege

Give users only the permissions they need to perform their job, and remove any unnecessary access.

IAM Policies and Permissions

  • Policies define fine‑grained control over actions on AWS resources.
  • They consist of statements that specify what resources an entity can access and what actions it can perform.

AWS Identity‑Based Policy

  • Attached to IAM users, groups, or roles.
  • Controls permissions from the identity’s perspective.

AWS Resource‑Based Policy

  • Directly attached to AWS resources (e.g., S3 bucket, RDS instance).
  • Specifies which principals (users, roles, services) can access the resource.

Example: A group named accounting is denied permission to delete an S3 bucket and its objects.

IAM Permission Boundaries

  • Used to limit the maximum permissions an IAM entity can have, even if broader policies are attached.
  • Ideal for new interns or junior staff who might otherwise receive overly permissive policies.

Scenario: An intern has a policy granting full control, but a permission boundary restricts access to only the resources they should manage.

IAM Session Policy

  • Provides temporary, session‑specific permissions for a user or role.
  • Useful for granting short‑lived access to AWS resources.

Inline Policy

  • Embedded directly within a user, group, or role.
  • Not reusable by other entities.
  • Example: Grant a DevOps engineer temporary S3 access that expires after a defined period.

Managed Policy

  • Created and maintained by AWS (AWS‑managed) or by your organization (customer‑managed).
  • Can be attached to multiple users, groups, or roles across accounts.
  • Supports conditions to further refine when and how permissions apply.

Tags: AWS, IAM, Security, Cloud

0 views
#AWS #IAM #Identity and Access Management #cloud security #least privilege #IAM policies #IAM roles #IAM groups #permissions
View source
Share:
Back to Blog

Related posts

Read more »

FullStack Diaries

!FT MJhttps://media2.dev.to/dynamic/image/width=50,height=50,fit=cover,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2...