Testing Professor
Testing ProfessorMulti-Cloud Guidebook · AWS
All services

Security, Identity & Compliance

AWS IAM

Fine-grained access control for every AWS resource.

Official docs

Overview

Identity and Access Management lets you create users, groups, roles and policies that govern who can do what on which AWS resource. It is the foundation of every other service.

When to use it

  • Always. Every workload needs IAM identities and policies.
  • Cross-account access via roles
  • Granting temporary credentials to CI runners

Setup

  1. Create users only for humans; prefer SSO / Identity Center for organizations.
  2. Create roles for workloads (EC2, Lambda, CI).
  3. Write JSON policies — start with AWS-managed, refine to least privilege.
  4. Enable MFA on the root account and all human users.

How to use

Sample policy: read-only S3 bucket
{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject","s3:ListBucket"],
    "Resource": ["arn:aws:s3:::qa-artifacts","arn:aws:s3:::qa-artifacts/*"]
  }]
}
Assume a role
aws sts assume-role --role-arn arn:aws:iam::111122223333:role/QaCiRole --role-session-name ci

QA use cases

  • Provision an OIDC-based role so GitHub Actions can deploy and run tests without long-lived keys.
  • Create read-only roles for QA engineers to inspect prod logs without write access.