AWS Identity and Access Management (IAM) is the service that lets you securely control who can access what in your AWS account and how they can use it. IAM provides authentication (who you are) and authorization (what you can do) for users, applications, and services across AWS.
sts:AssumeRole to obtain temporary credentials.Action, Resource, Condition).IAM uses an implicit deny by default. An explicit Allow grants access unless there is an explicit Deny, which always wins. Effective permissions come from combining identity policies, resource policies, boundaries, SCPs, and session policies.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::example-bucket",
"arn:aws:s3:::example-bucket/*"
]
}]
}
aws:PrincipalTag, s3:prefix).A user authenticates via your IdP (SAML/OIDC) → assumes an IAM role → receives temporary credentials via STS → calls AWS services (e.g., upload to S3 or invoke a Lambda). Policies on the role and resources control exactly what is allowed.