π AWS Identity and Access Management (IAM) in AWS
IAM is a service provided by Amazon Web Services that helps you securely control access to your AWS resources.
π Simple Definition
π IAM = Identity + Access Control System
- Identity β Who (user/role)
- Access β What they can do (permissions)
π Core Components of IAM
π€ Users
- Individual accounts for people or services
- Example: Admin, Developer
π₯ Groups
- Collection of users
- Assign same permissions to multiple users
π Policies
- JSON documents that define permissions
- Example:
- S3 read-only access
- EC2 full access
π Roles
- Provide temporary access
- Used by AWS services or external users
- No password required
π How IAM Works
- Authentication (AuthN) β Verifies who you are (login)
- Authorization (AuthZ) β Defines what you can do
π§ Real Example
- Developer β Only EC2 access
- Admin β Full access
π IAM controls these permissions
βοΈ One-Line Summary
π IAM = Control over who can access AWS and what they can do
π AWS Multi-Factor Authentication Setup (Your Screen)
π You have 3 options:
1οΈβ£ Passkey or Security Key (Recommended by AWS)
π Uses:
- Fingerprint / Face unlock
- Physical security key (like USB key)
βοΈ Most secure
β But needs supported device
2οΈβ£ Authenticator App β (Best for you)
π Uses mobile app like:
- Google Authenticator
- Microsoft Authenticator
π± Generates 6-digit code
π This is the easiest and most commonly used option
3οΈβ£ Hardware TOTP Token
π Physical device that generates code
β Rarely used (cost involved)
β What YOU should do (Recommended)
π Select:
βοΈ Authenticator app
π² Next Steps (Very Important)
- Select Authenticator app
- Click Next
- You will see a QR code
- Open Google Authenticator on your phone
- Scan the QR code
- Enter 2 consecutive codes
- Click Add MFA
π§ Pro Tip
π Name like MyMFASumit is fine π
π Always enable MFA for:
- Root account π₯
- IAM users
β οΈ Common Mistake
β Entering wrong code
β Time mismatch in phone
π Fix:
- Turn on auto time sync in phone
βοΈ One-Line
π Choose Authenticator App β Scan QR β Enter OTP β Done
π² Step-by-Step MFA Setup (Next Screen)
β Step 1: Select Authenticator App
π On your screen:
- βPasskey or security keyβ is currently selected β
π Change it to:
βοΈ Authenticator app
β Step 2: Click Next
π Click the Next button (bottom/right)
πΈ Step 3: QR Code Screen
π You will now see:
- A QR Code
- A manual setup key (backup)
π± Step 4: Use Mobile App
On your phone:
- Open Google Authenticator
- Tap + (Add account)
- Choose Scan QR Code
- Scan the QR code from AWS
π’ Step 5: Enter OTP Codes
After scanning:
- You will get a 6-digit code
π In AWS:
- Code 1 β Enter current OTP
- Wait ~30 seconds
- Code 2 β Enter new OTP
β Step 6: Add MFA
π Click:
βοΈ Add MFA / Assign MFA
β οΈ Important Tips
- Turn ON auto time sync on your phone
- β Donβt enter the same OTP twice
- π Save the backup key
π§ Final Result
π MFA will be enabled
π Next login = Password + OTP required π
π Go ahead and click Next now
π Now click βNextβ and move to the QR code screen.
π What to do AFTER clicking Next
When the next screen appears, you should see:
- QR Code
- 2 input boxes for OTP
π Then follow this:
π± On your phone:
- Open Google Authenticator
- Tap + (Add)
- Select Scan QR Code
- Scan the QR shown on AWS
π’ On AWS screen:
- Enter Code 1 β current OTP
- Wait ~30 seconds β³
- Enter Code 2 β next OTP
β Final Step:
π Click Add MFA
β οΈ If something goes wrong:
- OTP not working β Turn ON automatic time sync
- Code expired β wait for new code
t π Letβs go step by step with interview + real use case + policy example π
π₯ IAM Interview Questions (with short answers)
1. What is IAM?
π AWS Identity and Access Management is a service to manage access to AWS resources securely.
2. What is the difference between Authentication and Authorization?
- Authentication (AuthN) β Who are you (login)
- Authorization (AuthZ) β What you can do (permissions)
3. What are IAM Policies?
π JSON documents that define permissions (Allow/Deny actions on resources)
4. What is an IAM Role?
π Provides temporary access without using username/password
5. What is MFA?
π Multi-Factor Authentication adds an extra security layer (OTP + password)
6. What is the principle of least privilege?
π Give minimum required permissions only
π οΈ Real DevOps Use Case
π Scenario:
You have a team:
- Developers
- DevOps Engineers
- Admin
β Solution using IAM:
- Create IAM Users
- Create Groups
- Dev β EC2 + S3 access
- DevOps β Full infra access
- Admin β Full access
π Use Roles:
- EC2 instance β access S3 using IAM Role
π No need to store credentials (more secure)
π IAM Policy Example (JSON)
π Example: S3 Read-Only Access
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
}
]
}
π§ Explanation
- Effect β Allow/Deny
- Action β What actions allowed
- Resource β Which resource
π Best Practices (Important π₯)
- Enable MFA for all users
- Donβt use root account daily
- Use Roles instead of access keys
- Follow least privilege
- Rotate credentials regularly
βοΈ Final One-Line
π IAM = Security backbone of AWS (who + what control)
π₯ Scenario-Based Interview Questions
β Q1: Someone deleted an EC2 instance. How will you find who did it?
π Answer:
Use AWS CloudTrail to check logs
β Q2: Developer should access S3 but not delete objects. What will you do?
π Answer:
Create IAM policy β Allow read, Deny delete
β Q3: You donβt want to store credentials in EC2. What is the solution?
π Answer:
Use IAM Role
β Q4: CPU usage crosses 80%. How will you get notified?
π Answer:
Use Amazon CloudWatch alarm
β Q5: How to secure AWS account from hacking?
π Answer:
- Enable MFA
- Use strong password
- Least privilege
- Avoid root usage
π§ Pro Tip (Interview Killer π₯)
π Always say:
- βUse IAM for access controlβ
- βUse CloudTrail for auditingβ
- βUse CloudWatch for monitoringβ
βοΈ Final One-Line Summary
π IAM + CloudTrail + CloudWatch = Complete AWS Security + Monitoring System
