AWS IAM
AWS IAM (Identity and Access Management) controls who is authorised to do what in an AWS account. Identities and fine-grained authorisations are used to control access to each individual service.
What is AWS IAM?
AWS IAM (Identity and Access Management) is AWS’s authorisation system. For every action taken in an AWS account, it answers the question: Is this identity permitted to perform this specific action on this specific resource? IAM is therefore the foundation of security for every AWS environment – every other service relies on it.
IAM is free of charge and yet one of the most important services of all. A well-designed IAM strategy prevents employees, applications or a compromised account from having more rights than necessary.
The building blocks of IAM
- Users: Identities for individual people with their own login credentials.
- Groups: Group users with similar tasks together to assign permissions consistently.
- Roles: Identities that are assumed temporarily – by applications, AWS services or users.
- Policies: Sets of rules in JSON format that describe exactly which actions are permitted or prohibited.
The principle of least privilege
The most important principle in IAM is the principle of least privilege: each identity is granted only the permissions it actually needs for its task – nothing more. This limits the damage if access is misused. Blanket administrator rights ‘just in case’ are one of the biggest avoidable security risks in the cloud.
Roles instead of long-lived keys
Applications and AWS services should never operate using hard-coded, long-lived access keys. Instead, they assume an IAM role and are thereby granted temporary, automatically expiring credentials. An EC2 instance with an assigned role can, for example, access an S3 bucket without a key needing to be stored anywhere – a key that doesn’t exist cannot be stolen.
IAM in SMEs
A robust IAM strategy should be established at the outset of any AWS deployment. This includes securing the main account with multi-factor authentication, clearly defined roles for teams and applications, and the consistent avoidance of long-lived keys. If these foundations are laid early on, the environment can grow securely alongside them – cleaning up a chaotic permissions structure that has developed over time is significantly more labour-intensive.
Frequently asked questions about AWS IAM
AWS IAM is free of charge. There are no fees for users, groups, roles or policies. Costs are only incurred for the AWS services that are accessed via IAM.
An IAM user is a permanent identity with its own access data, typically for one person. An IAM role has no permanent credentials and is accepted temporarily - by applications, AWS services or users. Roles are more secure because the issued credentials expire automatically.
It means that each identity only receives exactly the authorisations it needs for its task - no more. This limits the potential damage if access is misused. Blanket administrator authorisations are an avoidable security risk.
Activate multi-factor authentication for the main account and all users, avoid daily use of the root account, assign authorisations according to the least privilege principle and replace long-lasting access keys with IAM roles with temporary access data.
Related terms
Last updated: May 2026