قالب وردپرس درنا توس
Home / How To / What is IAM and how does IAM work in AWS?

What is IAM and how does IAM work in AWS?

IAM (Identity and Access Management) is covered by the "Security, Identity & Compliance" service of AWS (Amazon Web Services). It allows us to manage access to AWS services and resources securely. With IAM we can create and manage AWS users, groups, roles and use permissions to allow or deny their access to AWS resources.

IAM comes with " no extra charge" and we are charged only for other AWS services used by us.

AWS IAM helps us to:

  • Manage users and their access:
    We can create users in IAM, assign them individual security information. We can manage permissions to control which operations a user can perform and which ones are not.
  • Managing Roles and Their Permissions:
    We can create roles in IAM and manage permissions to control which operations can be performed by the unit, or AWS service, which take the role.
  • Managing federated users and their privileges:
    We can enable identity federations to allow existing users, groups, and roles in our company to access AWS Management

To understand the IAM service in more detail, you can refer to AWS documentation.

In this article we will see how to create an IAM user, group, IAM role, assign permissions, and create custom policies.

Note: IAM does not belong to a particular region and extends over the entire AWS account.


  1. AWS Account ( Create if you do not have one.]

What we will do

  1. Log in to AWS.
  2. Create an IAM user.
  3. Create an IAM group and add users to it
  4. Create an IAM role
  5. Create an IAM policy

Log in to AWS

  1. Click here [1
    9659015] to go to AWS login page.

When we click on the above link we will see a web page as follows where we are required to log in using our login information.

  Log in to AWS

When once we are logged in to AWS we will see the main console with all services listed as follows.

  AWS Management Console

Creating an IAM user

An (IAM) user is a device that we create on AWS for to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and ch references.

Click " Services " in the upper left corner and you will see a screen with all the service. Spot " IAM " under " Security, Identity & Compliance " and click on " IAM "

  Create an IAM User

You will see a dashboard. This is the IAM website. Click " User " from the left panel.

  Identity and Access Management

Click " Add User " to create a new user.

  Add User

Name the user to create. We can create a user with two different access types.

  1. Programmatic Access:
    We can perform the operation on AWS account from AWS API, CLI, SDK and other development tools with this access type.
  2. AWS Management Console Access:
    This access type allows a user to log in to the AWS Management Console.

In this article we will create a user who has " AWS Management Console access ". [19659002] When you click " AWS Management Console access " you will be given a field to assign a password to the user.

We can either have " Autogenerated password " or " Custom password ". Here we select " Custom password " and assign the user a password. the requirement we can force a user to change the password at the next login. Keep it as is. Click " Next: Permission " to continue and assign the permissions.

  Set user information [19659002] On the next screen, click " Attach Existing Policies Directly " and search for " readonlyaccess " and select the check box that appears on the following screen. With " ReadOnlyAccess " the user will not be able to create any of the AWS resources. You can go through the list of permissions to understand them. Click " Next: Tag " to continue.

  Set permissions

Tag assignment is optional but helps to organize, track, or control access for this user. Click " Next: Review " to continue and create a user.

  Add Tags

Review the configuration and click " Create user " to create a user.

  View User Information

Click " Download .csv " containing " Console Login Link ". If you create a user with " Programmatic Access ", this file is very important because it would contain " Access Key ID " and " Secret Access Key " required get access. Now you can click " Close " when we have created our first user.

  The user has added success

Creating an IAM role

An IAM role is an IAM identity that we can create in our AWS account that has specific privileges. It is similar to an IAM user with an authorization policy that determines what the identity can and cannot do in AWS. The IAM role allows AWS services to perform actions on our behalf.

On the IAM website, click " Roles " in the left panel. Click " Create Role ".

  Creating an IAM role

In this article we will create a role for Lambda Service. Click " Lambda " and click " Next: Permission .

  Lambda> Permission

Search the search box for" ec2readonlyaccess " and check the " AmazonEC2ReadyOnlyAccess " checkbox. This gives " readonly " access to the Lambda function on EC2 Service. Click " Next: Tags ".


Adding tags is optional but can be used to organize, track, or control access for this role. Click " Next: Review " to continue.

  Create role

Name the role, add a description and click " Create role " This creates a role that allows Lambda functions to call AWS services on your behalf with " ReadOnlyAccess " on " EC2 " service.

  Read Only Role

Create an IAM Group

An IAM group is a collection of IAM users We can set permissions for multiple users using role, which can make it easier to manage the permissions of these users.

On the IAM website, click on " Groups " on the left panel. Click " Create New Group ".

 Create an IAM Group

Enter a name and click " Next Step" .

 ] Set group name

Search for " readonlyaccess ", scroll to the bottom and select SEK Click the " Next Step ".

 Attach a Policy

Review the configuration and click " Create Group ".

Now we have a group with " ReadOnlyAccess ", which means that users belonging to this group only have " Read-Only " access to AWS Resources / Services.

 Review settings

Go back to the IAM website and select the group we just created. Click " Add user to group " to add our user to this group.

 Add user to group

Select the user we created in the previous step and click " Add user ". This will add our user to the group we created with " ReadOnlyAccess ".

 Reader users only

Creating an IAM policy

An IAM policy is a device associated with an identity or resource to define their permissions.

On the IAM website, click " Policies " in the left panel. Click " Create Policy ".

 Creating an IAM Policy

Click " Service " to select a service for which the policy must be created. Search for a service in the search box and select the service.


You get a list of permissions that can be assigned, here you select " List ". Click " Review Policy ".

 Review Policy

Name the policy and click " Create Policy ". This policy can now be assigned to a user to only grant " List " permissions for EC2 Service. We can follow the same steps we followed to attach a policy while creating a user to attach this policy.

 Create new policy


In this article we created a user, a role and attached a policy to them, created a group and added a user to it, created a custom policy which can be added to the user.

Source link