AWS IAM- Permissions, Password Policies and Roles.

5 min readSep 12, 2023

IAM permissions

AWS Identity and Access Management (IAM) is a service that allows you to control access to AWS resources by creating and managing IAM users, groups, and roles, and by defining permissions for them. IAM permissions are used to specify what actions users, groups, and roles are allowed or denied performing on AWS resources.

Here are some key concepts and components related to IAM permissions:

AWS Resources: These are the services and objects within AWS that you want to control access to. Examples include EC2 instances, S3 buckets, RDS databases, and more.
Actions: Actions represent individual operations that can be performed on AWS resources. Examples include creating an EC2 instance, reading from an S3 bucket, or listing items in an S3 bucket.
IAM Users: These are the individuals or entities that you create in AWS to represent the people or applications that interact with your AWS resources. Users can have permissions attached directly to them.
IAM Groups: Groups are collections of IAM users. Instead of attaching permissions to individual users, you can attach permissions to groups, making it easier to manage permissions for multiple users with similar roles.
IAM Roles: IAM roles are similar to users, but they are not associated with a specific user or group. Instead, roles are assumed by trusted entities such as AWS services, EC2 instances, or Lambda functions. Roles allow these entities to access AWS resources securely.
Policies: Policies are JSON documents that define permissions. Policies can be attached to users, groups, or roles. AWS provides managed policies that cover common use cases, and you can also create custom policies to define fine-grained permissions.
Permission Boundaries: These are an advanced feature of IAM that allows you to control what policies can be attached to users and roles. Permission boundaries help you delegate permissions within your organization while maintaining control over those permissions.
Resource-based Policies: Some AWS resources, like S3 buckets and SQS queues, have their own policies that allow you to specify who can access those resources and what actions they can perform. These policies are separate from IAM policies but work in conjunction with them.
Conditional Access: IAM allows you to add conditions to policies, making access control more flexible. You can, for example, allow access only if a specific IP address or MFA (Multi-Factor Authentication) is used.
Least Privilege Principle: A best practice in IAM is to follow the principle of least privilege, which means giving users, groups, or roles only the permissions they need to perform their tasks and nothing more. This helps improve security by minimizing potential attack surfaces.

When configuring IAM permissions, you typically create policies that define the permissions you want and then attach those policies to IAM users, groups, or roles. It’s important to regularly review and audit IAM permissions to ensure that they align with your organization’s security requirements and follow best practices.

IAM password policy

AWS Identity and Access Management (IAM) allows you to define password policies to enhance the security of user passwords within your AWS account. A password policy helps enforce rules for creating strong, secure passwords and can help protect your AWS resources from unauthorized access. Here are some key aspects of AWS IAM password policies:

Password Length: You can specify a minimum password length for user passwords. Longer passwords are generally more secure.
Character Requirements: You can require that passwords contain a mix of different character types, such as uppercase letters, lowercase letters, numbers, and special characters.
Password Expiration: You can set a maximum password age, after which users are required to change their passwords. Regularly changing passwords is a security best practice.
Password Reuse: You can specify how many previous passwords a user must not reuse when setting a new password. This helps prevent users from cycling through the same passwords.
Password Complexity: You can enforce password complexity requirements, such as not allowing easily guessable passwords or dictionary words.
Password Policy History: IAM maintains a history of user passwords, and you can specify how many password changes are stored in history. This helps in tracking users’ password change patterns.
Password Policy Lockout: You can set up account lockout policies to temporarily lock users out of their accounts after a certain number of failed login attempts. This helps protect against brute force attacks.
Multi-Factor Authentication (MFA): Encourage or require the use of Multi-Factor Authentication (MFA) for added security. MFA requires users to provide two or more authentication factors to access their accounts.

Here is an example of a basic IAM password policy in JSON format:

{
“MinimumPasswordLength”: 12,
“RequireSymbols”: true,
“RequireNumbers”: true,
“RequireUppercaseCharacters”: true,
“RequireLowercaseCharacters”: true,
“PasswordReusePrevention”: 5,
“MaxPasswordAge”: 90,
“PasswordExpiration”: true,
“HardExpiry”: true,
“MaxPasswordAge”: 90,
“MinimumPasswordLength”: 12
}

Task- IAM Roles

IAM Roles: IAM roles are another way to manage access to AWS resources. Roles are similar to users, but they are not associated with a specific person or account. Instead, roles are assumed by trusted entities, such as EC2 instances, Lambda functions, or other AWS services. Roles can have permissions policies attached to them, which define the specific permissions that the role is allowed to use.