AWS IAM のアイコン

AWS IAM Essential2010年〜

An authentication and authorization service for securely managing access to AWS resources

About 3 min read

What It Does

AWS IAM (Identity and Access Management) is a service for securely controlling access to AWS resources. You can define in fine detail who (users, roles) can do what (read, write, delete) on which resources (S3, EC2, etc.). IAM itself is free to use and becomes available automatically when you create an AWS account.

Use Cases

Used for managing AWS access permissions per team member, controlling application access to AWS services, granting temporary access to external partners, implementing access policies based on compliance requirements, and managing access across multi-account environments. It serves as the security foundation of AWS.

Everyday Analogy

Think of it like a building access control system. Only people with an employee badge (IAM user) can enter the building, and each department has access to different floors (permissions). The accounting team can enter the finance system room, and the dev team can enter the server room, but they can't access each other's areas. Administrators can change permissions at any time.

What Is IAM?

AWS Identity and Access Management (IAM) is the service at the core of AWS security. When you create an AWS account, a root user with full permissions is created, but the best practice is to avoid using the root user for everyday tasks. Instead, create IAM users and roles with only the minimum permissions needed. IAM is a global service, meaning the same settings apply worldwide regardless of region.

Key Concepts

IAM has four key concepts. Users are identities that correspond to individuals and are used for console login and programmatic access. Groups are collections of users - when you assign permissions to a group, they apply to all members. Roles provide temporary permissions and are used to grant access to AWS services like EC2 instances and Lambda functions. Policies are permission definitions written in JSON format.

The Principle of Least Privilege

The most important practice in IAM is the principle of least privilege. Grant each user or role only the minimum permissions needed for their tasks. For example, a process that only reads S3 data should be given only S3 read permissions, not write or delete permissions. IAM Access Analyzer lets you analyze which permissions are actually being used and identify unnecessary ones. To get a comprehensive understanding of the principle of least privilege, specialized books (Amazon) are a great resource.

Getting Started

To get started with IAM, first create an administrator IAM user in the IAM console and minimize the use of the root user. Then create users and groups for your team members and assign AWS managed policies (pre-built permission sets). Enabling MFA (multi-factor authentication) protects your account even if a password is compromised.

Things to Watch Out For

  • Do not use the root user for daily operations. Set up MFA and manage it securely
  • Never hardcode access keys in source code. Use IAM roles or environment variables instead
  • IAM is free to use, but misconfiguration can lead to security incidents, so always follow the principle of least privilege
共有するXB!

Related Services

Amazon Cognito iconAmazon CognitoA service that provides authentication, authorization, and user management for web and mobile applicationsAWS CloudTrail iconAWS CloudTrailA service that records and monitors API activity in your AWS accountAmazon VPC iconAmazon VPCBuild a logically isolated virtual network on AWSAWS Lambda iconAWS LambdaA serverless compute service that runs code without server management

Related Articles

Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.The Hidden Structure of AWS Account IDs' 12 Digits - Why 12 Digits, and What Can You Infer?A trivia-style exploration of why AWS account IDs are 12-digit numbers, the design intent embedded in the ARN structure, and the security considerations around what can be inferred from an account ID.Why AWS API Endpoints Differ by Region - The Design of Global and Regional ServicesWe explain the design reasons behind the separation of regional endpoints like ec2.us-east-1.amazonaws.com and global endpoints like iam.amazonaws.com, as well as the existence of dual-stack and FIPS endpoints.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Browser-Based Shell Environment - Instant CLI Access with AWS CloudShellExplains the browser-based shell environment powered by AWS CloudShell. Covers the CLI environment available instantly from the AWS Management Console, pre-installed development tools, automatic IAM authentication integration, secure file management, and practical tips for improving operational efficiency.

More in This Category

IAM Access Analyzer iconIAM Access Analyzer SpecializedA service that detects externally accessible resources and unused access permissionsAWS Certificate Manager iconAWS Certificate Manager EssentialA service that automates provisioning, management, and deployment of SSL/TLS certificatesAWS Artifact iconAWS Artifact SpecializedA service for on-demand access to AWS compliance reports and agreementsAWS Audit Manager iconAWS Audit Manager SpecializedA service that automates evidence collection and assessment for compliance auditsAWS CloudHSM iconAWS CloudHSM SpecializedA service for managing encryption keys using dedicated hardware security modulesAmazon Cognito iconAmazon Cognito PopularA service that provides authentication, authorization, and user management for web and mobile applicationsAmazon Detective iconAmazon Detective SpecializedA service that automatically analyzes security findings and investigates root causesAWS Directory Service iconAWS Directory Service SpecializedA service that provides managed Active Directory on AWS

Similar Articles and Services

AWS IAMAn authentication and authorization service for securely controlling access to AWS resources, providing fine-grained access management through users, groups, roles, and policiesDesigning Identity and Access Management - Achieving Zero Trust Security with IAMLearn access management design techniques with AWS IAM, including the principle of least privilege, policy design, and achieving zero trust security through Cognito integration.Why the AWS Account Root User Is Dangerous - The Design Philosophy of Privilege Separation and Practical LockdownWe explain why the AWS root user holds privileges that cannot be restricted by IAM, list the operations only the root user can perform, cover MFA setup methods, and describe the lockdown strategy using Organizations' centralized root access management.Detecting Excessive Permissions with IAM Access Analyzer - External Access and Unused Permission AnalysisDetect unused permissions on IAM roles using CloudTrail-based analysis and auto-generate least-privilege policies. This guide covers external access detection and integrating custom policy checks into your CI/CD pipeline.IAM Access AnalyzerA service that detects externally accessible resources and unused access permissions