IAM is the most important security service in AWS

To protect the resources inside an AWS account you need to manage who can do what. The IAM service defines who can access the account and what is allowed and what is not.

But access control is not easy. There are many concepts, such as principals and policies, that seem overwhelming at first.

This book is a comprehensive yet practical guide for access control in AWS.

Want a sneak peek? Sign up for free chapters here:

"IAM is too complicated!"

Then this book is for you.

When I started out with AWS I felt it was an obstacle, making everything a lot harder than necessary. Everything was hidden behind some technical jargon and it wasn't intuitive at all where to configure things. Then its JSON policy structure required a lot of searching for solutions. IAM was in my way whatever I wanted to do.

After a bit of learning, I started to see the underlying logic behind all those obscure terminology that felt so distant at first. The identities, the types and structure of the policies all fit into a bigger picture that defines the security posture of an account.

Access control is the foundation of security

AWS offers several other security services: Security Hub, Config, CloudTrail, GuardDuty, to name a few. They are great to detect problems or help with investigations.

But all of them are in the second line. The security of an account depends on the configuration of who can do what. Intrusion detection and logging are secondary to access control.

Learn how to use AWS IAM

This book has all the information in an easy-to-follow format to understand IAM and use it effectively. You'll learn:

  • How to grant access using users and roles
  • How to write policies to define what is allowed and what is not
  • What is the policy evaluation logic and how IAM determines access

...and more!


Table of contents

Access control basics
 Where IAM controls access
 Access elements
   IAM Users
   IAM Roles
   Special Principals
 CloudTrail logging

IAM Policies
    Multiple values
   Other types
 Policy types
  Identity-based policies
   Inline and managed policies
  Resource-based policies
  Service Control Policy (SCP)
  Session policy
  Permissions boundary
 Visual editor

Evaluation flow
 Step 1: Build the request context
 Step 2: Collect all applicable policies
 Step 3: Run the evaluation logic

Evaluation examples
 Identity policies to allow access
 Resource policy to deny access
  Resource policy to allow access
 Using conditions
  Tag-based access control
 Restricted resources

How to secure an AWS account
 Security as an AWS administrator
  Do not reuse credentials
  Minimize the number of policies
  Use separate accounts via Organizations
  Implement least privilege
  Minimize transitive permissions
  Use monitoring and logging
 Security as a developer
  Follow an additive permission strategy
  Use roles instead of users where possible
  Maintain an identical test environment
  Automate security checks


About the author
Tamás Sallai

I'm a software developer focusing mostly on cloud computing and web technologies. I'm especially interested in how to handle edge cases to end up with dependable software.

One of my main focus is security and how each part affects the whole system. I'm an AWS-certified security specialist.

Get the book

The book is available from these stores: