セキュリティ

AWS IAM

An authentication and authorization service for securely controlling access to AWS resources, providing fine-grained access management through users, groups, roles, and policies

About 5 min read

Overview

AWS Identity and Access Management (IAM) is a service for securely managing access to AWS resources. By creating IAM users, groups, and roles and defining access permissions with JSON-based policies, you can precisely control who can perform what actions on which resources. IAM is available at no additional charge and is built into every AWS account by default. It includes security features such as multi-factor authentication (MFA) enforcement, password policy configuration, and access key rotation. IAM roles let you grant temporary credentials to EC2 instances and Lambda functions, eliminating the need to manage long-lived access keys. IAM Access Analyzer automatically detects resources accessible from outside your account and identifies unintended access permissions.

Policy Evaluation Logic and Practicing Least Privilege

The most important principle in IAM policy design is the principle of least privilege - grant only the minimum permissions required and never assign unnecessary permissions. IAM evaluates policies through a specific logic: an explicit Deny always wins, followed by explicit Allow, and the default is implicit Deny. There are two types of policies: identity-based policies (attached to users, groups, and roles) and resource-based policies (such as S3 bucket policies and SQS queue policies). AWS managed policies are convenient for quick setup but often include more permissions than needed, so creating customer managed policies that define only the minimum required permissions is recommended. The Condition element lets you restrict access based on criteria such as source IP address, MFA authentication status, and request time. Use IAM Access Advisor to review which services each user or role has actually accessed and remove unused permissions on a quarterly cycle.

IAM Roles and Temporary Credentials

IAM roles provide temporary credentials through the Security Token Service (STS), eliminating the need to manage long-lived access keys. When an EC2 instance or Lambda function assumes a role, it receives credentials that are valid for a configurable period of up to 12 hours and are automatically rotated. This is fundamentally more secure than embedding access keys in application code or configuration files. Cross-account roles enable secure resource sharing between AWS accounts without creating IAM users in each account. For workloads running outside AWS, IAM Roles Anywhere extends the same temporary credential model to on-premises servers and other cloud environments using X.509 certificates. In contrast, Azure RBAC takes a different approach by assigning role definitions to scopes (management groups, subscriptions, resource groups), with permissions inheriting from higher scopes to lower ones - IAM does not have this hierarchical inheritance and instead requires each policy to explicitly specify its target resources. To deepen your practical knowledge of AWS IAM, specialized books (Amazon) are a great resource.

Large-Scale Management with Organizations and IAM Identity Center

As your organization scales beyond a handful of accounts, IAM Identity Center (formerly AWS SSO) provides centralized access management across multiple AWS accounts. Users authenticate once through IAM Identity Center and can access any permitted account without maintaining separate IAM users in each account. Permission sets define what actions users can perform in each account, and these can be assigned to groups synced from external identity providers like Okta or Microsoft Entra ID. Service Control Policies (SCPs) combined with AWS Organizations set upper bounds on allowed actions at the account or organizational unit level - even if individual IAM policies grant excessive permissions, SCPs enforce guardrails. For example, an SCP can prevent any account from disabling CloudTrail or creating resources outside approved regions. Combining IAM Access Analyzer with CloudTrail logs helps identify permissions unused in the past 90 days, enabling systematic permission cleanup across the entire organization.

共有するXB!

Related Terms

AWS KMSAmazon CognitoAmazon GuardDutyAWS WAF

Related Services

Amazon CognitoAWS KMS

Related Articles

Getting Started with Full-Stack Web App Development on AWS Amplify - Git-Connected Deploys and Backend SetupSet up automatic per-branch deployment environments with GitHub integration, and define authentication, APIs, and storage in TypeScript using Backend Gen 2. Also supports Next.js SSR.Amazon API Gateway Design Patterns - Choosing Between REST API and HTTP APIClear criteria for choosing between HTTP API and REST API, authentication patterns with Cognito and Lambda authorizers, and practical throttling design techniques.Building Real-Time GraphQL APIs with AWS AppSync - Subscriptions and Resolver DesignImplement real-time notifications with WebSocket-based subscriptions and integrate multiple data sources using DynamoDB and Lambda pipeline resolvers.Unifying Microservice GraphQL with AWS AppSync Merged API - Distributed Team Development in PracticeMerge GraphQL APIs developed and deployed independently by multiple teams into a single endpoint. Learn strategies for avoiding schema conflicts and designing authentication.Dedicated Key Management with AWS CloudHSM - FIPS 140-2 Level 3 Compliant EncryptionAchieve FIPS 140-2 Level 3 compliant key management with dedicated HSM instances. Learn when to choose CloudHSM over KMS and how to integrate both through KMS custom key stores.

Similar Terms and Articles

Designing Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.AWS IAMAn authentication and authorization service for securely managing access to AWS resourcesDetecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.IAM Policy Evaluation Logic Explained - How Implicit Deny Loses to Explicit AllowA step-by-step explanation of how IAM evaluates requests to allow or deny them, covering the priority of implicit deny, explicit allow, and explicit deny, as well as intersection logic for SCPs, permission boundaries, and session policies.IAM Access AnalyzerA service that automatically analyzes resource policies on S3 buckets, IAM roles, and more to detect external access and unused permissions, strengthening your security posture