📎 Referral Code:
📊 Dashboard Sign In
Navigation
🗺️
Live Classes
🗺️
Courses
🎬
Assignments
💡
Q & A
💡
My Profile
💡
Recruiter Board
Job Support
🎯
Interview Board
AI Tools
🌐
Project Explanation Agent
🛟
Support Works
◀ Prev 21 / 21 🎉 Last video!
📂 6. AWS Core 📋 Video 21 of 21
Topics Covered
AWS IAM, Authentication, Authorization
📝 Class Notes
🔐 AWS Security

AWS IAM — Identity & Access Management

The foundation of AWS security. Control who can access what in your AWS account. Every real AWS project uses IAM — learn it once, use it everywhere.

🔑 What is IAM 👤 Users, Groups, Roles 📋 Policies 3 Access Types 💼 Career Usage
🤔
Why are you learning IAM? Read this before anything else.
Imagine you join a company. On Day 1, the security team gives you a badge — it has your name, your photo, and a list of rooms you are allowed to enter. You can enter the server room but not the finance room. This badge is your IAM Identity + Policy.

In AWS, every person, every application, every Lambda function, every EC2 instance — all need a "badge" before they can touch any AWS resource. IAM is the system that creates and manages these badges.

Without IAM knowledge, you cannot work on any real AWS project. It is asked in every AWS interview. It is used in every AWS job — DevOps, Data Engineer, Backend Developer, Cloud Engineer.
🏛️

What is AWS IAM?

01
🏢
Real world analogy — Office building security
A large company has 500 employees, 50 contractors, and 10 security cameras (applications). The building has 20 floors — HR floor, Finance floor, Server room, Cafeteria.

IAM is the security system of this building. It decides:
WHO can enter — which employee, contractor, or application
WHAT they can do — read files, modify data, delete records
WHERE they can go — S3 bucket, EC2 server, RDS database
WHEN access is allowed — temporary or permanent

AWS IAM (Identity and Access Management) is a free AWS service that lets you securely control access to AWS services and resources. Using IAM, you create users, assign permissions, and define exactly what each person or application can and cannot do.

🛡️
Secure Access
Only authorized users and apps access the right resources — nothing more
🎛️
Centralized Control
Manage all users and permissions from one place — no scattered access
🔍
Least Privilege
Give only the minimum permissions needed — reduce security risk
📊
Audit & Compliance
Track every action using CloudTrail — know who did what and when
💰
Free Service
IAM is completely free — no additional charge for users, roles, or policies
⚡ How IAM Works — The Flow Understand this
WHO
User / Role / App
Identity
WHAT
Policy / Permissions
Permissions
WHERE
S3 / EC2 / RDS
Resource
RESULT
Allow / Deny
Evaluation
💼
Where you will use IAM in your job
Every single AWS project uses IAM. As a Data Engineer — you create IAM roles for Glue, Lambda, EMR to access S3. As a Backend Developer — you create IAM users for your application to access DynamoDB. As a DevOps — you manage IAM roles for EC2, ECS, CodePipeline. No AWS project runs without IAM.

🗝️

Key IAM Terminologies

02

These are the 9 terms you must know cold before any AWS interview. Every IAM concept builds on these.

👤 User Identity
An individual identity with long-term credentials (username + password or access keys). Represents a human person or an application that needs permanent access.
Example: ravi.kumar@company.com is an IAM User who logs into AWS Console daily to work.
👥 Group Identity
A collection of IAM Users. You attach policies to a Group — all users in the group get those permissions automatically. Makes managing teams easy.
Example: "DataEngineers" group — all 20 data engineers get S3 and Glue access by being in this group.
🎭 Role Identity
An identity that provides TEMPORARY permissions. No username or password. Users, applications, or AWS services "assume" a role to get temporary access. Most secure approach.
Example: Lambda function assumes "LambdaS3Role" to read from S3 — no permanent credentials needed.
📋 Policy Permission
A JSON document that defines what actions are allowed or denied on which resources. Policies are attached to Users, Groups, or Roles. This is where actual permissions live.
Example: A policy saying "Allow s3:GetObject on arn:aws:s3:::my-bucket/*"
🔑 Access Key Credential
A pair of credentials (Access Key ID + Secret Access Key) used for programmatic access — AWS CLI, SDK, API calls. Never share or commit to Git.
Example: Your Python script uses Access Keys to call boto3 and upload files to S3.
🚧 Permission Boundary Guardrail
Sets the MAXIMUM permissions an identity can ever have — acts as a guardrail. Even if a policy gives more permissions, the boundary caps them.
Example: A boundary saying "never allow DeleteBucket" — no matter what policies are attached, delete is blocked.
🔄 Assume Role Action
The action of temporarily taking on a Role's permissions. Done via AWS STS (Security Token Service). Returns temporary credentials that expire automatically.
Example: Ravi assumes "AdminRole" for 1 hour to do a deployment, then access expires automatically.
📱 MFA Security
Multi-Factor Authentication — an extra layer of security requiring a second verification (OTP from phone app) in addition to password. Critical for Root User and admin accounts.
Example: After entering password, you also enter a 6-digit code from Google Authenticator app.
Root User ⚠️ Danger
The first account created with your AWS account. Has FULL access to everything — cannot be restricted. Use only for billing and critical tasks. Enable MFA immediately.
⚠️ Never use Root User for daily work. Create an IAM User with required permissions instead.

📋

IAM Policies — The Permission Document

03
📄
Analogy — Job offer letter
When you join a company, HR gives you a letter: "You are allowed to access the office, use the laptop, access the HR system. You are NOT allowed to access the finance system or the server room." That letter is your IAM Policy — a written document listing exactly what you can and cannot do.

A Policy is a JSON document with 5 key fields: Effect (Allow/Deny), Action (what operation), Resource (which AWS resource), Principal (who), and Condition (when/how). Every permission in AWS is defined through a policy.

📌 Policy Structure JSON Format
 
 
 
iam_policy_structure.jsonIAM POLICY
{
  "Version": "2012-10-17",         // always use this version
  "Statement": [
    {
      "Effect":    "Allow",          // Allow or Deny
      "Action":    [
        "s3:GetObject",             // read a file
        "s3:PutObject"              // upload a file
      ],
      "Resource":  "arn:aws:s3:::my-bucket/*"  // which S3 bucket
    }
  ]
}

// Real example: Lambda reads from one S3 bucket only
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":   "Allow",
      "Action":   "s3:GetObject",
      "Resource": "arn:aws:s3:::raw-data-bucket/*"
    },
    {
      "Effect":   "Deny",            // explicitly block delete
      "Action":   "s3:DeleteObject",
      "Resource": "*"
    }
  ]
}
📦 5 Types of Policies Know the difference
Policy Type Who Creates It When to Use
AWS Managed Policy AWS creates and maintains Quick start — use predefined policies like AmazonS3ReadOnlyAccess
Customer Managed Policy You create in your account Custom business rules — most used in real projects
Inline Policy You create, attached to one identity only One-off permissions for a specific user/role — not reusable
Permission Boundary You create as a guardrail Limit max permissions a developer can grant to any role
Session Policy Passed during AssumeRole Temporarily restrict permissions for a specific session

🚪

3 Ways to Access AWS Resources

04

There are 3 different ways to get access to AWS resources. As a fresher, understanding when to use which is what interviewers test. Each has a completely different use case.

1
User-Based Access
For humans who need daily access
A person logs in with username + password (Console) or Access Keys (CLI/SDK). Permissions come from policies directly attached to the user or their group. Long-term credentials.
🧑 Real example:
Ravi is a developer. He logs into AWS Console using his IAM user ravi.user and accesses S3 buckets and EC2 instances to do his daily work.
👤 Humans Long-term Console + CLI
2
Role-Based Access
For teams, apps, cross-account
A user or application temporarily assumes a Role using AWS STS. Gets short-term credentials that expire automatically. No permanent credentials — most secure approach. Best for teams.
🏢 Real example:
Ravi's entire HR team assumes HR-Reports-Role to access the HR S3 folder. When someone leaves the team, you just remove them from the role — no individual policy updates needed.
👥 Teams Temporary STS / Assume Role
3
Service-to-Service Access
For AWS services talking to each other
An AWS service (Lambda, Glue, EC2) assumes a Service Role to access another AWS service. No human involved. The service gets temporary credentials automatically. Zero human credentials.
⚙️ Real example:
AWS Glue job needs to read data from S3 and write results back to S3. Glue assumes a GlueServiceRole which has S3 read/write permissions. No human logs in — it's fully automated.
🤖 Services Automated Service Role
Access Type Who Uses It? Credentials Duration Best Use Case
User-Based Human developers, analysts Password + Access Keys Long-term Daily console work, CLI usage
Role-Based Humans via Assume Role Temporary (STS) Short-term Teams, cross-account, elevated access
Service-to-Service AWS Services (Glue, Lambda) Temporary via Role Short-term Glue→S3, Lambda→DynamoDB, EC2→S3

⚖️

Role-Based vs User-Based — Which to Use?

05
💡
Simple rule to remember
User-Based = One person, simple setup. Like giving one employee a permanent ID card.
Role-Based = Many people or services, scalable. Like a job designation — "all Managers can access the boardroom." Add/remove people from the designation, not individual rooms.
Factor User-Based Role-Based ✅ Recommended
Permissions attached to Individual user directly Role — shared by all who assume it
Team management Update each user individually Update the role once — all users get it
Security Long-term credentials — risk if leaked Temporary credentials — auto-expire
Cross-account access Very complex Built-in with Trust Policy
AWS services (Lambda etc) Cannot use user credentials Services assume roles natively
Scalability Gets messy with 50+ users Scales to thousands of users easily
Best for Individual devs, small teams Teams, applications, AWS services
💻 Trust Policy — Who Can Assume a Role Important in interviews
 
 
 
trust_policy_example.jsonTRUST POLICY
// This Trust Policy allows Lambda service to assume this role
// Without this, Lambda cannot use the role — security by design
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":    "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"  // Lambda can assume this role
      },
      "Action":    "sts:AssumeRole"
    }
  ]
}

// Trust Policy for cross-account access
// Allow another AWS account (123456789012) to assume this role
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":    "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:root"
      },
      "Action":    "sts:AssumeRole"
    }
  ]
}

🏭

Real-World IAM Scenarios

06
🔶 Scenario 1 AWS Glue reads from S3
📋 Situation
You have an AWS Glue ETL job that needs to read raw CSV files from an S3 bucket and write cleaned Parquet files to another S3 bucket. How do you give Glue access to S3 without any human credentials?
 
 
 
glue_s3_role.jsonSERVICE ROLE
// Step 1: Create GlueServiceRole with Trust Policy for Glue
{
  "Principal": { "Service": "glue.amazonaws.com" },
  "Action": "sts:AssumeRole"
}

// Step 2: Attach Permission Policy — read from raw, write to clean
{
  "Statement": [
    {
      "Effect":   "Allow",
      "Action":   ["s3:GetObject", "s3:ListBucket"],
      "Resource": "arn:aws:s3:::raw-data-bucket/*"
    },
    {
      "Effect":   "Allow",
      "Action":   ["s3:PutObject", "s3:DeleteObject"],
      "Resource": "arn:aws:s3:::clean-data-bucket/*"
    }
  ]
}
// Step 3: Assign GlueServiceRole to your Glue Job — done!
// Glue now has S3 access with zero human credentials involved.
🔷 Scenario 2 Data Engineering Team — Group Access
📋 Situation
Your company has 15 Data Engineers. All of them need access to S3, Glue, Athena, and CloudWatch. Instead of attaching policies to 15 individual users, use an IAM Group.
 
 
 
data_engineering_group.jsonGROUP POLICY
// Create Group: DataEngineers
// Attach ONE policy to the group — all 15 engineers inherit it
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":   "Allow",
      "Action":   [
        "s3:*",                 // full S3 access
        "glue:*",               // full Glue access
        "athena:*",             // full Athena access
        "cloudwatch:GetMetric*" // read-only CloudWatch
      ],
      "Resource": "*"
    }
  ]
}
// New engineer joins? Add them to DataEngineers group — instant access.
// Engineer leaves? Remove from group — access revoked immediately.
💼
IAM is asked in every AWS interview — here are common questions
1. What is the difference between an IAM User and an IAM Role?
2. How does a Lambda function get access to S3? (Answer: Service Role)
3. What is the difference between AWS Managed Policy and Customer Managed Policy?
4. What is a Trust Policy? How is it different from a Permission Policy?
5. What is Least Privilege Principle in IAM?
6. How do you give cross-account access in AWS?

🚀

Where You Will Use IAM in Your Career

07
⚙️
Data Engineer
Create IAM Roles for Glue, EMR, Lambda, Athena to access S3, RDS, Redshift. Every pipeline needs IAM.
🖥️
Backend Developer
Create IAM Users or Roles for your app to access DynamoDB, S3, SQS, SNS using boto3 or AWS SDK.
🔧
DevOps Engineer
Manage IAM Roles for EC2, ECS tasks, CodePipeline, CodeBuild. Set up cross-account deployment roles.
🤖
GenAI / ML Engineer
Create Roles for SageMaker, Bedrock, Lambda to access models, S3 training data, and APIs securely.
🛡️
Cloud Security
Audit IAM permissions, implement least privilege, set up Permission Boundaries, monitor with CloudTrail.
🏆
AWS Certification
IAM is 25-30% of AWS Solutions Architect, Developer, and SysOps exams. Master it once, ace every cert.
🎯
Key Takeaway — Remember this always
IAM = RIGHT identity → RIGHT permissions → RIGHT resources → RIGHT reasons

• Users are for people. Roles are for temporary and elevated access. Services use roles to securely access other services.
• Always follow Least Privilege — give only what is needed, nothing more.
• Never use Root User for daily work. Never commit Access Keys to GitHub.
IAM is the foundation of ALL AWS security. If you know IAM, you know AWS security.
June-08-2026:Morning 9:00AM - 10:00AM
June-08-2026:Morning 9:00AM - 10:00AM
0% done
5
6. AWS Core
1 videos