Why it matters

IAM misconfiguration is the top cloud security failure. Public S3 buckets, overly-permissive roles, hardcoded access keys — most cloud breaches are IAM mistakes.

Advertisement

The architecture

Users are permanent identities (human or service). They have long-lived credentials (access keys). Users are the most common source of breach because keys leak.

Roles are assumed identities with temporary credentials. Applications running on EC2 get credentials via instance profiles. Federated users assume roles via SAML/OIDC. Roles are safer than users because credentials are short-lived.

IAM primitivesUserslong-lived keysRolesassumed, temp credsPoliciesJSON permissionsPrefer roles + STS for services; users only for humans (via SSO) or last-resort automation
IAM entities and permission model.
Advertisement

How it works end to end

Policies are JSON documents listing allowed and denied actions on resources. Attached to users, groups, or roles. Managed policies (AWS-provided) cover common cases; custom policies for specific needs.

STS (Security Token Service) issues temporary credentials for assumed roles. Expiry is typically 1 hour, configurable up to 12 hours.

Permission boundaries limit the maximum permissions a role can have, even if additional policies grant more. Used to delegate role management safely.