Visakh VijayanMay 30, 2026
IAM Deep Dive: Users, Groups and Policies
IAM Deep Dive: Users, Groups and Policies Introduction IAM (Identity and Access Management) controls who can access AWS resources and what actions they can perform. Root User When an AWS account is created, a Root User is automatically created. Best practice: do not use the Root User for everyday activities. IAM Users An IAM User represents a person or application requiring AWS access. IAM Groups Groups help manage permissions efficiently. Important: Groups cannot contain other groups. IAM Policies Policies define permissions using JSON. Understanding Policy Components | Component | Description | |------------|------------| | Sid | Statement Identifier | | Effect | Allow or Deny | | Action | API operations allowed | | Resource | Resource affected | | Principal | Entity receiving permissions | IAM Security Tools AWS IAM provides several built-in tools to help administrators audit permissions and improve security. Credentials Report The Credentials Report provides an account-wide view of IAM users and their credential status. It helps answer questions such as: Which users have passwords? Which users have access keys? When was a password last used? When were access keys last rotated? Which credentials are inactive? The report can be downloaded as a CSV file and is commonly used during security audits and compliance reviews. Access Advisor Access Advisor shows which AWS services a user, group, or role has permission to access and when those services were last accessed. This helps identify permissions that are no longer needed. For example: A user may have permissions for S3, EC2, RDS, and Lambda. Access Advisor may show that only S3 and EC2 have been used recently. The unused permissions can then be removed to follow the principle of least privilege. Why These Tools Matter Both Credentials Report and Access Advisor help improve security by: Identifying stale credentials Detecting inactive users Finding excessive permissions Supporting compliance audits Enforcing least-privilege access IAMReadOnlyAccess This managed policy allows users to view IAM resources without modifying them. Multi-Session Support AWS supports multiple sessions in the same browser, making account switching easier. Key Takeaways Avoid using the Root User. Create IAM users for daily work. Use Groups to manage permissions. Policies define permissions. Use Credentials Reports to audit IAM credentials. Use Access Advisor to identify and remove unused permissions. IAM is a global AWS service.
