IAM: Identity & Access Management

If the cloud is a building, IAM is the receptionist and security guard. It decides WHO you are (Authentication) and WHAT you can do (Authorization).

🔑 The "Who" and the "What"

👤 Users

Permanent credentials. Like a Physical Badge. Used for actual humans (employees, developers). Should represent one person.

🎭 Roles

Temporary credentials. Like a Visitor Hat. You put it on to do a specific job (e.g., "Admin Hat" or "Server Hat"), then take it off.

📜 Policies

The rules. A JSON Document attached to a User or Role that explicitly says "Allow Access to Bucket X" or "Deny Access to Database Y".

🕹️ Simulator: The Permission Gate

Mission: The User needs to Read the data, but MUST NOT be allowed to Delete it. Configure the JSON Policy correctly.

policy.json Draft

{

"Effect": "Allow",

"Action": [

"s3:GetObject" (Read) "s3:PutObject" (Write) "s3:DeleteObject" (Delete) "s3:*" (Full Admin)

"Resource": "arn:aws:s3:::top-secret"

}

👤

📁

Top Secret

Waiting...

> System Ready.

> Default: Implicit Deny.

🛡️ Security Best Practices

🤏

Least Privilege

Only grant the exact permissions needed. Never give AdministratorAccess to a developer who just needs to upload a file.
📵

No Root User

Lock away the "Root" account credentials in a safe. Create an IAM User for daily work. Root can do anything and cannot be restricted.
📱

MFA (Multi-Factor Auth)

Require a code from a phone app for console logins. It stops hackers even if they steal your password.

🔑 The "Who" and the "What"

👤 Users

🎭 Roles

📜 Policies

🕹️ Simulator: The Permission Gate

🛡️ Security Best Practices

Least Privilege

No Root User

MFA (Multi-Factor Auth)