Back to Blog
Cloud12 min readJun 2026

Cloud Identity & Access (IAM) From First Principles

IAM is where most cloud breaches begin, and where most beginners get lost. Strip away the jargon and it's just four words: who can do what to which thing. Here's the whole model.

AWSIAMSecurityLeast PrivilegeFoundations
SB

Sri Balaji

Founder · TheSimplifiedTech

On this page

Why IAM is the foundation of cloud security

Almost every cloud breach you read about starts the same way: a credential or permission that was broader than it needed to be. Not a clever zero-day, just an access key with too much power, or an S3 bucket open to everyone. IAM (Identity and Access Management) is the system that decides who can do what. Get it right and most attack paths simply close.

It feels intimidating because of the jargon, principals, policies, roles, ARNs. But underneath, IAM answers exactly one question for every single request:

Is THIS identity allowed to perform THIS action on THIS resource, yes or no?

Who this is for

Beginners. If you've ever gotten an "Access Denied" and not known why, this article is for you.

The four words: who, what, which, allow/deny

👤 Who is askingPrincipal (user / role)
🎬 What they want to doAction (e.g. s3:GetObject)
📦 Which thingResource (an ARN)
✅ Yes or noEffect (Allow / Deny)
Every IAM concept is one of these four everyday ideas.
  • Principal, the identity making the request. A human user, or (better) a role assumed by a service or app.
  • Action, the specific operation, namespaced by service: s3:GetObject, ec2:StartInstances.
  • Resource, the exact thing, named by an ARN (Amazon Resource Name): arn:aws:s3:::my-bucket/*.
  • Effect, Allow or Deny. Everything is denied by default; you grant access explicitly.

How a request is actually evaluated

explicit Allowno Allow / any Deny
Principal

User or role

Request

s3:GetObject

Policy check

IAM evaluation

S3 bucket

The resource

Access Denied

Default

Every API call runs this gauntlet. Default is deny; an explicit Deny always wins over any Allow.

  1. 1

    Start from DENY

    Nothing is allowed until something explicitly allows it. This is the single most important IAM rule.

  2. 2

    Look for a matching Allow

    AWS gathers every policy attached to the principal and the resource, and checks for an Allow matching this action + resource.

  3. 3

    Check for any explicit Deny

    If any policy says Deny for this request, it's denied, full stop. An explicit Deny beats any Allow.

  4. 4

    Decide

    Allowed only if there is a matching Allow and no matching Deny. Otherwise: Access Denied.

What a policy actually looks like

A policy is just JSON listing statements of effect + action + resource. This one lets a principal read objects from one bucket, and nothing else:

read-one-bucket.json
json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::reports-bucket/*"
    }
  ]
}

Read it as a sentence: *Allow the action s3:GetObject on every object in reports-bucket.* No write, no delete, no other bucket. That's least privilege, grant exactly what's needed, nothing more.

Users vs roles: prefer roles, always

The biggest practical upgrade you can make: stop handing out long-lived access keys, and use roles instead.

IAM User (keys)IAM Role
CredentialsLong-lived access keyShort-lived, auto-rotated
If leakedValid until you notice + revokeExpires in minutes/hours
Best forRare human/CLI casesApps, services, EC2, Lambda, CI
RotationManual (often forgotten)Automatic
Roles give out short-lived, auto-rotating credentials, far safer than static keys.

The #1 cloud security mistake

Hardcoding long-lived access keys in code, config, or a Git repo. Leaked keys are the most common breach vector. Use roles so credentials are temporary and rotate themselves.

Common mistakes that cost people (a lot)

  1. Using the root account for daily work. Lock it away, enable MFA, and never use it for routine tasks.
  2. **Granting * permissions "to make it work."** Action: "*" on Resource: "*" is admin-over-everything. Scope it down.
  3. Long-lived access keys in code or Git. Use roles and short-lived credentials. Scan repos for leaked keys.
  4. No MFA on human users. A password alone is one phishing email away from compromise.
  5. Never auditing. Permissions accumulate. Review and remove what's unused, least privilege is a habit, not a one-time setup.

Where to go next

The whole article in 6 lines

  • IAM answers one question: **can THIS identity do THIS action on THIS resource?**
  • Four parts: **principal, action, resource, effect (Allow/Deny).**
  • **Everything is denied by default;** you grant access explicitly.
  • An explicit **Deny always beats an Allow.**
  • Practice **least privilege**, grant exactly what's needed, nothing more.
  • Prefer **roles** (short-lived credentials) over users with long-lived keys.

Want to go deeper?

This article covers concepts taught hands-on in the Cloud Engineer and DevOps career paths, with real terminal labs, production scenarios, and structured lessons.

Explore Career Paths Try the Labs

Keep reading

Cloud

Cloud Networking Fundamentals: How a VPC Actually Works

Read

Cloud

How the Cloud Actually Works: Regions, AZs & the Edge

Read

Cloud

IaaS vs PaaS vs SaaS, What You Actually Manage

Read