An identity with long-term credentials representing a person or application. Best practice is to minimize use for humans and prefer federation.

A collection of IAM users used to manage permissions collectively. You cannot log in as a group.

An identity that can be assumed to obtain temporary credentials, commonly used by AWS services, federated users, or for cross-account access.

Resource-Based Policy

A JSON policy attached directly to a resource (such as an S3 bucket or KMS key) specifying who can access it and how.

An AWS identity with permissions that can be assumed to receive temporary security credentials.

An AWS identity with long-term credentials representing a single person or application. Often replaced by federation for human users.

A collection of IAM users that you manage as a single unit for permissions.

A service that tracks configuration changes to AWS resources and evaluates them against rules for compliance and security.

Identity, Access Management, and Protecting AWS Resources — AWS Certified Cloud Practitioner (CLF-C02) Fast-Track Prep

1. Why Identity and Access Matter in AWS

Access in AWS = API Calls

In AWS, almost every action is an API call. IAM decides who can call which APIs, on what resources, from where, and under which conditions.

Link to Previous Modules

From Global Infrastructure: resources live in Regions/AZs. From Shared Responsibility: AWS secures the cloud; you secure access in the cloud. IAM is your main tool.

IAM at a Glance

IAM is a global service that controls access across your account. You define identities (users, roles, groups) and attach policies that allow or deny actions.

Exam Perspective

On exams, expect questions like: Which IAM feature should you use? Which policy change fixes an access issue while following least privilege?

2. IAM Core Building Blocks: Users, Groups, Roles, Policies

IAM Users

IAM users represent a person or app needing long-term access. They have passwords and/or access keys. Today, best practice is to minimize IAM users and favor federation.

IAM Groups

Groups are collections of IAM users. You cannot log in as a group; they exist to attach policies to many users at once, like Developers or ReadOnlyAuditors.

IAM Roles

Roles are assumed to get temporary credentials. No long-term password or keys. Used for AWS services, cross-account access, and federated users.

Policies

Policies are JSON documents defining permissions. Identity-based policies attach to users, groups, roles. Resource-based policies attach to resources like S3 buckets.

Exam Tip: Roles vs Users

If you see temporary access, cross-account access, or EC2 needing permissions, think IAM role, not IAM user.

3. Real-World Scenario: Setting Up a New Developer

Scenario: New Developer Alex

Alex needs console access, S3 read/write to myapp-dev-logs, and read-only EC2 in dev. You want least privilege and simple management.

Step 1: Create Group

Create group Developers-Dev. Attach a custom S3 policy for myapp-dev-logs only, plus AmazonEC2ReadOnlyAccess for viewing EC2.

Step 2: Create User or Federate

Create IAM user alex (or use federation via IAM Identity Center). Add alex to Developers-Dev. Enforce MFA and avoid long-term access keys if possible.

Step 3: Outcome

Alex automatically gets the group’s permissions. New devs can be onboarded by adding them to the same group, keeping access consistent.

4. How IAM Policies Actually Work (Allow, Deny, Evaluation)

Policy Structure

IAM policies are JSON with Effect (Allow/Deny), Action (APIs), Resource (ARNs), and optional Condition (extra rules like IP or MFA).

Default: Implicit Deny

By default, all requests are implicitly denied. You must add explicit Allows in policies to grant access.

Explicit Deny Wins

If any applicable policy has Effect: Deny that matches the request, it overrides all Allows and the request is denied.

Why This Matters

Understanding evaluation helps you debug "AccessDenied" errors and choose the correct policy-based answer on exams.

5. Policy Example: Least-Privilege S3 Access

Here is a minimal identity-based policy that allows read-only access to a single S3 bucket. Study the structure and think about how you would adjust it for different scenarios.

6. Thought Exercise: Fix the Over-Permissive Policy

You find this policy attached to a role used by a Lambda function that processes images uploaded to `myapp-photos` in one Region:

```json

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "s3:*",

"Resource": "*"

}

]

}

```

This clearly violates least privilege.

Your task (mentally, or jot it down):

Identify at least three problems with this policy.
Rewrite it (in plain English) to be more secure but still functional.
Decide whether this should be an identity-based policy on the Lambda role or a resource-based policy on the S3 bucket.

Pause and think before reading the sample reasoning below.

Sample reasoning (for self-check):

Problems:
`Action: "s3:*"` allows all S3 actions, including deleting any object and any bucket.
`Resource: "*"` allows access to all S3 buckets in the account (and even cross-account where allowed).
No conditions (for example, no restriction by prefix, no encryption checks, no Region constraints).
Better (in English):
Allow only `s3:GetObject`, `s3:PutObject` on `arn:aws:s3:::myapp-photos/uploads/*`.
Optionally allow `s3:ListBucket` on `arn:aws:s3:::myapp-photos` with a prefix condition.
Placement:
Typically, this is an identity-based policy on the Lambda execution role.
You might also add a bucket policy to allow that role’s principal ARN to access the bucket, especially for cross-account.

Use this pattern on the exam: when you see `*` in Action or Resource, ask yourself if least privilege is being respected.

7. IAM in the Shared Responsibility Model: Who Does What?

AWS vs You

AWS secures data centers, hardware, and the managed IAM service. You define who can access which resources and manage identities and policies.

Your Responsibilities

You manage IAM users, roles, groups, MFA, password policies, and monitor access with CloudTrail and other tools.

Identity-First Security

As of 2026, AWS stresses identity-first security: secure identities and permissions first, then layer network and other controls.

Exam Angle

Questions about granting access or rotating credentials fall under customer responsibility, not AWS.

8. Key AWS Services and Tools for Protecting Resources

IAM Identity Center

AWS IAM Identity Center (successor to AWS SSO) manages workforce SSO access to AWS accounts and apps, reducing the need for long-lived IAM users.

AWS Organizations & SCPs

AWS Organizations lets you manage many accounts. Service Control Policies set maximum permissions across accounts, like blocking certain actions or Regions.

CloudTrail & GuardDuty

CloudTrail logs API calls and sign-ins. GuardDuty analyzes logs for suspicious behavior, such as unusual API usage or access from strange locations.

Security Hub & Config

Security Hub aggregates security findings. AWS Config tracks resource changes and can flag risky IAM policies, like those with wildcard * permissions.

9. Quick Check: IAM Identities and Policies

Test your understanding of IAM users, roles, groups, and policies.

An application running on an EC2 instance needs temporary permission to read objects from a single S3 bucket. Following best practices, what should you configure?

Create an IAM user with access keys and embed the keys in the application code.
Attach an IAM role to the EC2 instance with a policy allowing only required S3 actions on that bucket.
Create an IAM group with S3 full access and add the EC2 instance to the group.
Use a resource-based bucket policy that grants public read access to all objects.

Show Answer

Answer: B) Attach an IAM role to the EC2 instance with a policy allowing only required S3 actions on that bucket.

The best practice is to use an IAM role attached to the EC2 instance with a least-privilege policy for that specific bucket. Long-term access keys in code are insecure, EC2 cannot be added to groups, and public access violates security principles.

10. Flashcard Review: Core Terms

Use these flashcards to quickly review key IAM and security terms before moving on.

IAM User: An identity with long-term credentials representing a person or application. Best practice is to minimize use for humans and prefer federation.
IAM Group: A collection of IAM users used to manage permissions collectively. You cannot log in as a group.
IAM Role: An identity that can be assumed to obtain temporary credentials, commonly used by AWS services, federated users, or for cross-account access.
Identity-Based Policy: A JSON policy attached to a user, group, or role defining what actions are allowed or denied on which resources.
Resource-Based Policy: A JSON policy attached directly to a resource (such as an S3 bucket or KMS key) specifying who can access it and how.
Service Control Policy (SCP): An AWS Organizations policy that sets the maximum permissions for accounts or organizational units. It does not grant permissions by itself.
AWS CloudTrail: A service that records AWS API calls and console sign-ins for auditing and security analysis.
Amazon GuardDuty: A threat detection service that continuously monitors AWS accounts and workloads for malicious or unauthorized behavior.

Key Terms

IAM Role: An AWS identity with permissions that can be assumed to receive temporary security credentials.
IAM User: An AWS identity with long-term credentials representing a single person or application. Often replaced by federation for human users.
IAM Group: A collection of IAM users that you manage as a single unit for permissions.
AWS Config: A service that tracks configuration changes to AWS resources and evaluates them against rules for compliance and security.
IAM Policy: A JSON document that defines permissions (Allow or Deny) for actions on resources, with optional conditions.
AWS CloudTrail: A service that records AWS API calls and console sign-in events for auditing and security.
Least Privilege: The principle of granting only the minimum permissions needed to perform required tasks, and no more.
AWS Security Hub: A service that aggregates and prioritizes security findings from multiple AWS services and partners.
Amazon GuardDuty: A threat detection service that continuously monitors AWS accounts and workloads for malicious or unauthorized behavior.
AWS Organizations: A service for centrally managing and governing multiple AWS accounts, including with Service Control Policies.
Identity-Based Policy: A policy attached to an IAM user, group, or role specifying what that identity can do.
Resource-Based Policy: A policy attached directly to a resource (like an S3 bucket) specifying who can access it and how.
AWS IAM Identity Center: The AWS service (successor to AWS SSO) that manages workforce single sign-on access to AWS accounts and applications.
Service Control Policy (SCP): An AWS Organizations policy that defines the maximum available permissions for accounts or organizational units.
IAM (Identity and Access Management): An AWS global service that lets you securely control access to AWS services and resources using users, groups, roles, and policies.