What are the key AWS IAM concepts for certification exams?
AWS IAM exams test five core areas: IAM users (human or service identity with long-term credentials), IAM groups (collection of users sharing policies), IAM roles (temporary credentials assumed by services or users), IAM policies (JSON documents defining permissions), and the principle of least privilege. For the SAA-C03 exam, also know the difference between identity-based policies and resource-based policies, and when to use roles versus users.
AWS Identity and Access Management (IAM) is one of the most heavily tested services across all AWS certification exams. It appears in the Cloud Practitioner CLF-C02, Solutions Architect Associate SAA-C03, Developer Associate DVA-C02, SysOps Administrator SOA-C02, and Security Specialty exams. IAM questions test not just what IAM components are but how they interact and which to use in specific security scenarios.
This cheat sheet covers the IAM concepts that appear most frequently on AWS certification exams, organized for quick review.
IAM Core Components
Users, Groups, Roles, and Policies
| Component | What It Is | Credential Type | Best For |
|---|---|---|---|
| IAM User | Individual identity | Long-term (access key + secret) | Human users, legacy apps |
| IAM Group | Collection of users | N/A (policies attached to group) | Permission management at scale |
| IAM Role | Assumable identity | Temporary (STS tokens) | AWS services, cross-account, SSO |
| IAM Policy | Permission document | N/A | Defining what is allowed or denied |
Key exam distinction: IAM Roles use temporary credentials issued by STS (Security Token Service). IAM Users use long-term access keys. For any scenario involving an EC2 instance, Lambda function, or other AWS service needing permissions, the answer is always a role, never hardcoded access keys.
"Exam questions about applications running on EC2 or Lambda that need to access S3 or DynamoDB always have the same answer: attach an IAM role to the compute resource. Never store access keys in application code or environment variables." -- AWS certification instructor guidance
IAM Policy Structure
Policy JSON Format
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"s3:prefix": ["uploads/"]
}
}
}
]
}
Policy evaluation logic:
- Default: all access is denied (implicit deny)
- Explicit Allow grants the permission
- Explicit Deny overrides any Allow -- cannot be overridden by any policy
Policy Types and Their Scope
| Policy Type | Where Attached | Controls Access To |
|---|---|---|
| Identity-based | User, Group, Role | What that identity can do |
| Resource-based | S3 bucket, SQS queue, KMS key | Who can access that resource |
| Permission boundaries | IAM entity | Maximum permissions an entity can ever have |
| SCP (Service Control Policy) | AWS Organizations OU | Maximum permissions any account in OU can have |
| Session policy | Assume-role call | Temporary scope reduction for a session |
| ACL | S3 and VPC | Legacy access control (avoid for new designs) |
AWS Managed Policies vs. Customer Managed Policies
| Type | Who Creates | Updates | Best For |
|---|---|---|---|
| AWS Managed | AWS | AWS updates automatically | Common use cases |
| Customer Managed | You | You control updates | Organization-specific policies |
| Inline | You | Embedded in entity | Strict one-to-one relationship |
Exam guidance: Customer managed policies are preferred over inline policies because they can be reused across multiple identities. AWS managed policies like AdministratorAccess and ReadOnlyAccess are acceptable for common scenarios.
STS and Role Assumption
The AWS Security Token Service (STS) issues temporary credentials when roles are assumed.
Role assumption scenarios tested on exams:
| Scenario | Who Assumes Role | Why |
|---|---|---|
| EC2 instance accessing S3 | EC2 service | Avoids hardcoded credentials |
| Lambda accessing DynamoDB | Lambda service | Service-to-service permissions |
| Cross-account access | IAM user in Account A | Access resources in Account B |
| Identity federation (SSO) | External identity (SAML, OIDC) | Corporate users access AWS without IAM users |
| AssumeRoleWithWebIdentity | Cognito, Google, Facebook | Mobile app user accesses AWS resources |
Cross-Account Role Trust Policy
For Account A to access Account B's resources:
- In Account B: Create role with trust policy allowing Account A's account ID
- In Account A: Create policy allowing
sts:AssumeRolefor the Account B role ARN - In Account A: Attach that policy to the user or role that needs cross-account access
IAM Best Practices (Also Tested)
| Practice | Description |
|---|---|
| Least privilege | Grant only permissions needed for specific tasks |
| MFA for root and privileged users | Enable MFA on root account and all admin users |
| No root account use for daily tasks | Create admin IAM user; lock root account credentials |
| Rotate credentials | Rotate access keys periodically; delete unused keys |
| Use roles, not users, for services | EC2, Lambda, ECS tasks should use instance/execution roles |
| Enable CloudTrail | Log all IAM API calls for auditing |
| Use IAM Access Analyzer | Identify external access to resources |
Common Exam Scenarios and Answers
Scenario: An application on EC2 needs to read from S3. Answer: Create an IAM role with S3 read permissions; attach it as an instance profile to the EC2 instance.
Scenario: A developer needs temporary admin access for a specific project. Answer: Create an IAM role with admin permissions; allow the developer to assume the role with MFA required.
Scenario: Multiple AWS accounts need to share resources centrally. Answer: Use AWS Organizations with Service Control Policies; cross-account IAM roles for specific resource access.
Scenario: A company needs to ensure no IAM user can ever have admin rights, even if an admin grants them. Answer: Apply an SCP at the organizational unit level denying IAM admin actions.
Scenario: An IAM user has Allow on S3 from both a group policy and an inline policy, but a resource policy on the bucket has an explicit Deny.
Answer: The explicit deny wins. Access is denied regardless of any Allow statements.
IAM Access Advisor and Policy Simulator
IAM Access Advisor: Shows services a user, group, or role has accessed and when. Used to identify unused permissions for cleanup.
IAM Policy Simulator: Tests what actions are allowed or denied for a given identity and policy combination before applying changes. Available in the IAM console.
Frequently Asked Questions
What is the difference between an IAM role and an IAM user for AWS services? IAM users have long-term credentials (access key ID and secret access key) that do not expire. IAM roles issue temporary credentials via STS that expire after a defined period (minutes to hours). AWS services should always use roles for security reasons -- if credentials in an IAM user's access key are compromised, they remain valid until manually rotated. Temporary role credentials expire automatically.
Can an IAM user belong to multiple groups? Yes. An IAM user can belong to up to 10 groups. Permissions are the union of all group policies plus any policies directly attached to the user. If any of these policies contains an explicit Deny for an action, that Deny overrides all Allows.
What does the IAM root account do and why should it not be used regularly? The AWS root account has unrestricted access to all AWS services and cannot be restricted by IAM policies. It is used for billing, account closure, and a few other administrative tasks that require root access. Regular daily use of the root account is a security anti-pattern because root credentials cannot be scoped. Create an IAM admin user for daily work.
References
- Amazon Web Services. (2024). IAM User Guide. https://docs.aws.amazon.com/IAM/latest/UserGuide/
- Amazon Web Services. (2024). IAM Best Practices. https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- Amazon Web Services. (2024). AWS Security Token Service (STS). https://docs.aws.amazon.com/STS/latest/APIReference/
- Amazon Web Services. (2024). AWS SAA-C03 Exam Guide. https://aws.amazon.com/certification/certified-solutions-architect-associate/
- Piper, B., and Clinton, D. (2022). AWS Certified Solutions Architect Study Guide: Associate SAA-C03 Exam. Sybex/Wiley.
- Amazon Web Services. (2024). AWS Organizations Service Control Policies. https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html