Cloud Security

Fundamental Cloud Security Part 9 – Identity Management in AWS

This document addresses another important aspect of cloud security – Identity Management. As the concepts and terms might be different between cloud providers, this document concentrates on AWS and provides an overview of some of the key security services and resources it provides to cloud architects.

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.


Identities in AWS are managed using a service called AWS IAM (Identity and Access Management).

This service is available globally across all AWS regions, so that each user/group/policy/role are configured once and applied from any region around the world.

Root user

This is the initial administrator identity inside an AWS account. This account has full privileges over the entire AWS account, including the ability to close/disable the entire AWS account.

It is strongly recommended to create an additional IAM account with full admin privileges and protect the Root user credentials with a strong password and MFA (Multi Factor authentication).

IAM Role

An identity with specific permissions and policies. Role can be assigned to a user, group or even EC2 machine.


A permission document in JSON format that defines what an identity is allowed or denied from performing.

MFA (Multi-Factor Authentication)

AWS IAM support the ability to configure strong authentication using either virtual or software device (using Google Authenticator) or using a hardware OTP (One time password generator) device.

For best practice, it is strongly recommended to enable MFA for any privileged identity inside an AWS account.

Access Keys

AWS allows connecting to resources using either SDK (programmatic access) or using command line tools.

In order to achieve this goal, AWS allows access using a combination of “access key” and “secret access key” as credentials.

For best practice, it is strongly recommended to remove unused access keys and rotate active access keys on a schedule interval (according to the organization policy).


AWS Introduction to IAM

IAM Best Practices

Best Practices for Managing AWS Access Keys

IAM Business Use Cases

Best practices for using AWS access keys

13 AWS IAM Best Practices for Security and Compliance

5 Advanced IAM Best Practices

Best Practices for Using AWS Identity and Access Management (IAM) Roles

About the author

Eyal Estrin, cloud architect.

Skip to content