AWS Identity for CloudOps - IAM, Federation and Access Reviews
Operate AWS identity safely with IAM roles, policies, STS, federation, IAM Identity Center, permission boundaries, Access Analyzer, and credential hygiene.
What you'll learn
- Use IAM roles instead of long-lived access keys
- Understand policy evaluation and explicit deny
- Apply permission boundaries and SCPs correctly
- Use federation and IAM Identity Center for workforce access
- Review access with IAM security tools
Prerequisites
Relevant for certifications
IAM Core Model
IAM controls who can do what to which AWS resources.
Principal
-> Action
-> Resource
-> Conditions
Policy evaluation rules to remember:
- Default is deny.
- Explicit allow grants access.
- Explicit deny overrides any allow.
- SCPs and permission boundaries set ceilings; they do not grant access by themselves.
Users, Groups, and Roles
| Identity | Best use |
|---|---|
| IAM user | Rare cases requiring long-lived identity; avoid for humans where possible |
| IAM group | Attach common policies to IAM users |
| IAM role | Temporary credentials for AWS services, apps, and cross-account access |
| IAM Identity Center user | Workforce access through SSO and permission sets |
CloudOps default
Use roles and temporary credentials wherever possible. Long-lived access keys are harder to rotate and easier to leak.
STS and AssumeRole
Security Token Service returns temporary credentials when a principal assumes a role.
Common uses:
- EC2 instance role calling AWS APIs.
- Lambda execution role.
- Cross-account admin role.
- Federated user assuming a role through SAML or OIDC.
Federation and IAM Identity Center
IAM Identity Center centralizes workforce access across multiple AWS accounts in an Organization. It connects to external identity providers and assigns permission sets to users or groups.
Permission Boundaries
A permission boundary limits the maximum permissions a role or user can receive.
Use boundaries when teams can create roles but should not create unlimited administrators.
IAM policy allows ec2:* and iam:*
Permission boundary allows ec2:* only
Effective permissions: ec2:* only
Hands-on: Create an EC2 Role for S3 Read Access
Goal: Let an EC2 instance read one S3 bucket without storing access keys.
- Create an IAM policy allowing
s3:ListBucketon the bucket ands3:GetObjecton objects in the bucket. - Create an IAM role with trusted entity AWS service and use case EC2.
- Attach the S3 read policy.
- Attach the role to an EC2 instance with Actions > Security > Modify IAM role.
- Connect to the instance.
- Test access:
aws s3 ls s3://my-cloudops-bucket
aws s3 cp s3://my-cloudops-bucket/test.txt /tmp/test.txt
- Confirm there are no static access keys on the instance.
Hands-on: Generate and Review IAM Credential Report
- Open IAM > Credential report.
- Generate the report.
- Download the CSV.
- Review users without MFA, active access keys older than 90 days, unused console passwords, and root account access keys.
- Create remediation tasks to enable MFA, rotate or delete old keys, and remove unused users.
Hands-on: Find External Access with IAM Access Analyzer
- Open IAM Access Analyzer.
- Create an account or organization analyzer.
- Review findings for public S3 buckets, cross-account KMS keys, and SQS/SNS policies shared externally.
- Archive expected findings with a reason.
- Fix unexpected findings by tightening the resource policy.
Common SOA-C03 Exam Questions
Q: What overrides every allow? An explicit deny.
Q: How should EC2 call S3 securely? Attach an IAM role to the instance. Do not store access keys on disk.
Q: What service is best for workforce SSO across many AWS accounts? IAM Identity Center.
What to Learn Next
- AWS Account Management - SCPs and Organizations
- AWS Security & Compliance - Access Analyzer, GuardDuty, Security Hub
- AWS Systems Manager - role requirements for managed nodes