An Introduction to AWS IAM

DZone 's Guide to

An Introduction to AWS IAM

Looking to set up permissions for your AWS bucket? Get your feet wet with this intro into Amazon's IAM roles, including how to build one yourself.

· Cloud Zone ·
Free Resource

AWS IAM roles are a web service that gives you secured "Control Access" to AWS services for your users. IAM policies specify which services/actions are allowed or denied. You attach policies to group, users, and roles, which are then subject to permissions that you define. In other words, IAM policies define what your user can do to your AWS services.

IAM is Identity and Access management, which gives control over which user has access to which services.

Policies can be granted either from AWS API programmatically or the AWS management console. IAM gives you following features:

  • Shared access to your AWS account.

  • Granular permission.

  • Secure access to your AWS resources.

  • Identity Information.

  • Integrated with many AWS resources.

  • Free to use.

Ways to Access IAM

  • AWS management console.

  • AWS CLI.

  • AWS SDKs.


When to Create IAM User

  • You create an AWS account and you are the only person who works in your account.

  • Create an IAM user for individuals who need access to your AWS resource. Assign appropriate permissions to each user and give him/her own credentials.

  • When you want to use the AWS CLI to work with AWS. The CLI needs credentials to make calls to AWS. Create an IAM user and give that user permission to run the CLI.

Use Case

Allow each IAM user to access to each object in bucket

Image title

In the above diagram, each user has access to his/her object in the bucket.

Instead of attaching policies to each user, policies can be attached at the group level. After that, we can add users to that group. The following policy allows a set of Amazon S3 permissons in bucketName/${aws:username} folder. When the policy is evaluated, the policy is replaced by requested username.

For example:

If Vikas sends a request to put an object, the operation is allowed only if Vikas is uploading to bucketName/Vikas folder.

    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Action": [
        "Resource": "arn:aws:s3:::examplebucket/${aws:username}/*"

Note: When using a policy, you must specify the version in the policy.


Version specifies the current version of the policy language. It must specify it before the statement element. In this case, our version is "2012-10-17."


The Statement element is the main element of the policy. This element is required. The Statement element contains an array of individual statements. Each individual statement is a JSON block enclosed in braces { }.


The Effect element is required and specifies whether the statement will result in an allow or an explicit deny. With that in mind, valid values for Effect are Allow and Deny.


The Action element describes the specific action or actions that will be allowed or denied. Each AWS service has its own set of actions that describe tasks that you can perform with that service.


The Resource element specifies the object or objects that the statement covers. Statements must include either a Resource or a NotResource element. You specify a resource using an ARN.

That's all for now.

If you have any questions or suggestions, submit a comment below. Stay tuned for the next blog on cloud.

aws, cloud, iam, permissions

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}