Welcome to Identity and Access Management (IAM)! This is the AWS service that lets you securely control access to your AWS resources. IAM is how you enforce who can do what within your account.

Think of it as the security desk for your entire cloud environment.

Engagement Message

What would happen if there was no security desk controlling who could enter a building?

IAM has four main building blocks: Users, Groups, Roles, and Policies. Let's start with Users. An IAM User is an identity you create in AWS that represents a person or an application needing access to your account.

Engagement Message

Why is it important to create individual users instead of everyone sharing one account?

An IAM Group is simply a collection of IAM users. Instead of assigning permissions to each user one by one, you can place users into a group and attach permissions to that group. This makes management much easier.

For example, you could have a "Developers" group and a "Finance" group.

Engagement Message

How would managing permissions for 100 developers be different with groups versus without groups?

An IAM Role is an identity that is intended to be assumable by someone or something. It provides temporary security credentials for its session. Roles are useful for giving AWS services access to other services, or for federating users from another identity system.

Engagement Message

When might temporary access be more secure than permanent access?

Finally, Policies are the documents that define permissions. A policy is attached to a user, group, or role, and it explicitly lists what actions are allowed or denied on which AWS resources. Policies are the heart of IAM.