Course Content
The IAM Foundation – The Basics
0/4
AWS IAM – The Guardian of Your Cloud Castle
Why IAM Forms Your First and Last Defense Line
IAM Building Blocks – Users, Groups, Roles, and Policies
Mini Quiz: Test Your Castle Knowledge
The Pillars of Identity – Roles & Responsibilities
Welcome back to your IAM journey. In Chapter 1, you learned the foundation—what IAM is and why it matters. Now we're stepping inside the castle walls to meet the residents, guilds, and guests who keep your AWS environment running. This chapter answers a critical question: who gets access, and how? Think of it as assigning keys in your castle. Some people live there permanently. Others belong to specific departments. And some just need a temporary pass to deliver supplies. Let's explore each.
0/4
AWS IAM Users Explained – Permanent Cloud Residents
AWS IAM Groups – Simplify Access with RBAC Control
AWS IAM Roles – Temporary Access for Services & Automation
Mini Quiz: Test Your Identity Wisdom
IAM Policies – The Castle Rulebook – The Rules
In Chapter 2, you built the foundation of your AWS castle by understanding identities: users, groups, and roles. You learned who lives in your castle and what roles they play. But here's the truth — identities without policies are like samurai without a code to follow. They exist, but they have no power, no direction, no permissions. Policies are the written laws of your castle. They're the rulebook that every gate guard consults before allowing someone to open a door, read a scroll, or access the treasury. When an IAM user tries to launch an EC2 instance or read from an S3 bucket, AWS doesn't guess. It reads the policies attached to that identity and makes a precise decision: allow or deny. This chapter teaches you how to read, write, and understand IAM policies. You'll learn how AWS evaluates permissions, how to choose between different policy types, and how to craft rules that follow the principle of least privilege. Think of this as learning to write the laws that govern your entire cloud kingdom.
0/4
AWS IAM Policy Basics — The Rulebook That Governs Access
AWS Managed vs Inline IAM Policies — Choosing the Right Rulebook
AWS IAM Policy Evaluation — How Permissions Are Decided
Mini Quiz – Test Your Rulebook Mastery
AWS IAM Mastery: Learn Identity & Access Management the Smart Way

Learning Objectives

  • Understand the difference between users and roles
  • Learn when to use AWS IAM roles for AWS services and automation
  • Grasp the concept of temporary security credentials

The Traveling Merchant

A merchant arrives at your castle gate. He’s not a resident—he doesn’t live here. He just needs temporary access to the marketplace to sell his goods.

You don’t give him a permanent key. You give him a guest pass that expires at sundown.

That’s an AWS IAM role.

Roles are for temporary access. They don’t have permanent credentials like passwords or access keys. Instead, they issue temporary security credentials that expire after a set time (usually 1-12 hours).

When Roles Beat Users

Use roles for:

AWS Services – Your EC2 instance needs to access S3
Cross-Account Access – A partner company needs limited access to your account
Federated Users – Employees logging in through Google Workspace or Okta
CI/CD Pipelines – GitHub Actions deploying infrastructure via Terraform

Never do this: Create an IAM user called “jenkins-bot,” generate access keys, and hardcode them in your pipeline. Those keys live forever and can be stolen.

Do this instead: Create a role, attach it to your EC2 instance or pipeline, and let AWS handle temporary credentials automatically.

The EC2-to-S3 Pattern

This is the most common role scenario in DevOps. Your application runs on EC2 and needs to read files from S3.

First, create the role:

bash

aws iam create-role \
  --role-name ec2-s3-read-role \
  --assume-role-policy-document file://trust-policy.json

The trust policy (saved as trust-policy.json) says “EC2 can assume this role”:

json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Then attach a permission policy:

bash

aws iam attach-role-policy \
  --role-name ec2-s3-read-role \
  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

This single line connects the role to actual permissions—now the role can read S3 buckets.

Finally, attach the role to your EC2 instance. Now your application code can access S3 without storing any credentials in code or environment variables. AWS handles everything behind the scenes.

Why Automation Loves Roles

In modern DevOps, humans rarely deploy infrastructure manually. GitHub Actions, Jenkins, Terraform Cloud—these tools do the work.

If you use IAM users for automation, you’re storing long-lived credentials somewhere. That’s a security risk. Credentials get committed to Git repos, left in CI/CD logs, or accidentally shared in Slack.

Roles solve this. GitHub Actions can assume an AWS role, get temporary credentials, deploy your infrastructure, and then those credentials expire. No secrets to manage.

This is how mature DevOps teams work: humans use users with MFA, machines use roles with temporary credentials.

Reflection: Think about your current setup. Where are you using IAM users that should be roles?

Previous
Next