AWS IAM Users and Groups along with Permissions

AWS Identity Access Management (IAM):

IAM is a global service not required to select any region, it works across the global same way no restriction on any region. You can see in the right corner of AWS console in the region selection it’s labeled as “Global“.
Note: A root account is created automatically when you sign up for AWS. It shouldn’t be used for daily operations and shouldn’t be shared.
AWS can be accessed with user accounts and can be part of groups. AWS allows creating users not part of any group and it’s NOT a best practice.
An AWS group can contain users, but NOT other groups. For example, a group called Developers let’s say users Penny, Leonard, and Amy part of the Developers group, and Raj, Sheldon, and Howard are part of the Operations group. One more thing AWS users can be part of multiple groups as well. Let’s say Amy and Sheldon are part of the Audit team.

AWS IAM Users and groups

Where Koti is a user who is not part of any user group but can have his own permissions. Each group can have it’s own permissions.


  • In AWS Users and Groups can be assigned JSON documents called policies
  • These policies define user permissions
  • In AWS you apply the least privilege principle, Don’t give permission more than the user needs. 
Below is an example:
Where “*” all resources of the action if you specify “*” under the Resource
    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "cloudtrail:GetTrail",
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": "*"
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Effect": "Allow",
            "Action": [
            "Resource": [
            "Condition": {
                "StringLike": {
                    "kms:ViaService": "s3.*"

IAM Policy structure:

The policy JSON consists of the Policy version, ID and statement

Policy version is the policy language version ex: “Version”: “2012-10-17”,

Statement is one or more individual statements consisting of definition of the policy


The statement consists of Effect, Action, Resource, and sometimes Condition

  • The effect contains what is the effect on the action items such as “Allow” “Deny”
  • Action defines what type of operations or actions can the user person on a service. for example, get users list, create user
  • The resource is nothing but the AWS service there are many services AWS offers each one is a resource that user can do operate on them.
  • The condition is to specify what specific condition the user can do these operations on a service. These conditions are handy when you want to restrict users specific to certain project-specific within a service.

AWS Roles for Services:

aws roles for services

AWS roles are used to person actions on behalf of user by an AWS service. For example, an AWS Ec2 instance wanted to person an operation using AWS Service, and it requires permission to do so, for that purpose, we use AWS roles for service.


To access AWS from CLI you need to create an access key

  • To create access key naviage to IAM and users
  • Select the user you want to create an access key an click on “Security credentials” tab
  • Click on create access key button
  • It’s only once shows on the screen take note of both ID and secret and download the .csv file
    • aws access key
  • Go to AWS CLI and hit aws configure
  • AWS Access Key ID [None]: <AWS ID>
  • AWS Secret Access Key [None]: <KEY>
  • Default region name [None]: us-east-1 <AWS region>
  • Default output format [None]: 

Now you should be able to access AWS from the console.

Hit aws iam list-users to list all the users (Note: Only if the logged in user has read access to IAM then only will list any users)

    "Users": [
            "Path": "/",
            "UserName": "kotidev",
            "UserId": "AIDAYLD5AZIMMIFSFPTWP",
            "Arn": "arn:aws:iam::574110091800:user/kotidev",
            "CreateDate": "2022-06-22T23:40:36+00:00",
            "PasswordLastUsed": "2022-11-13T16:06:39+00:00"

To open the Cloudshell command on the web browser login into AWS and click on the command line button in the top right corner

AWS CloudShell CLI

or open:

IAM Security tools:

  • IAM Credential report (account-level) – A report that contains list of users and their account status
  • IAM Access Adviser (user-level) – The report shows the user’s permission granted to services and shows the least used services.

credential report of aws IAMAWS IAM access advisor

It helps to decide administrators to remove unwanted user permissions and maintain the thumb rule of

“Provide least privileges to any user that required for user certain operation on AWS”

Best practice


  • AWS SDK is a software development kit that enabled developers to embed AWS services within their applications.
  • It enabled you programmatically connect and control AWS services.
  • It supports multiple languages (python, Javascript, java… etc.) and provides language-specific APIs
  • Example AWS CLI built on the AWS SDK for python.

IAM Best practices

  • One user one account
  • Do NOT use the root account.
  • Assign users to groups and assign permission to groups. Inline policies for users are not a good practice.
  • Create a strong password policy
  • Use MFA for secure authentication.
  • Create roles for assigning permissions to AWS services
  • Use access keys for programmatic access to AWS (CLI/SDK)
  • Audit permissions of AWS using Credential manager and Access Advisor.
  • Never ever share IAM users and Access keys.


Leave a Reply

Your email address will not be published. Required fields are marked *

Enable Notifications OK No thanks