AWS IAM Deep Dive for SAA-C03

Cloud Prep Thursday, May 21, 2026

Learn AWS Identity and Access Management in an exam-focused way. This deep dive covers IAM users, groups, roles, policies, policy evaluation, Access Analyzer, and IAM Identity Center for the AWS Solutions Architect Associate SAA-C03 exam.

What is AWS IAM?

AWS Identity and Access Management, commonly called IAM, is the AWS service used to securely control access to AWS resources. IAM helps you manage two important things: who can access AWS, and what they are allowed to do after they are authenticated.

IAM is one of the most important security services for the AWS Solutions Architect Associate exam. You must understand identities, permissions, roles, resource policies, and how AWS decides whether a request is allowed or denied.

Exam Tip: IAM is a global service. It is not limited to one AWS Region.

IAM Deep Dive Topics

Use the cards below to study IAM step by step. Each topic includes a read section, quiz link, and practice exam link where relevant.

IAM Overview

Understand authentication, authorization, root user, IAM users, and the purpose of IAM in AWS.

Beginner Security
Read Deep Dive Take Quiz Practice Exam

IAM Users, Groups & Roles

Learn the difference between users, groups, and roles, including temporary credentials and service roles.

Core IAM Exam Topic
Read Deep Dive Take Quiz Practice Exam

IAM Policy Types

Compare identity-based policies, resource-based policies, permissions boundaries, SCPs, and session policies.

Policies Important
Read Deep Dive Take Quiz Practice Exam

IAM Policy Basics

Understand JSON policy structure, Effect, Action, Resource, Principal, and Condition.

JSON Permissions
Read Deep Dive Take Quiz Practice Exam

Policy Evaluation Logic

Learn implicit deny, explicit allow, explicit deny, SCPs, permission boundaries, and final access decisions.

Must Know SAA-C03
Read Deep Dive Take Quiz Practice Exam

IAM Access Analyzer

Detect resources shared with external accounts or outside your AWS Organization.

Security Cross-account
Read Deep Dive Take Quiz Practice Exam

IAM Identity Center

Centrally manage access to multiple AWS accounts and applications using users, groups, and permission sets.

Multi-account SSO
Read Deep Dive Take Quiz Practice Exam

1. IAM Overview

IAM helps you securely control access to AWS services and resources. It handles authentication and authorization in your AWS account.

Authentication vs Authorization

Concept Meaning
Authentication Verifies who the user or entity is.
Authorization Controls what the user or entity can do.
Exam Tip: Do not use the root user for daily tasks. Create IAM users or use IAM Identity Center.

2. IAM Users, Groups, and Roles

IAM User

An IAM user usually represents a person or workload that needs access to AWS. A user can have console access, programmatic access, or both.

IAM Group

An IAM group is a collection of IAM users. Groups make permission management easier because you can attach a policy to the group instead of attaching permissions to each user one by one.

IAM Role

An IAM role is an identity with permissions that can be assumed by users, AWS services, applications, or external accounts. Roles provide temporary security credentials instead of long-term access keys.

Identity Best Use Case
IAM User Individual person or service requiring direct access.
IAM Group Managing permissions for multiple users.
IAM Role Temporary access for AWS services, cross-account access, or federated users.
Exam Tip: Use IAM roles for EC2, Lambda, ECS, and cross-account access. Avoid storing long-term access keys.

3. IAM Policy Types

IAM policies define permissions. They specify which actions are allowed or denied on which resources.

Policy Type Attached To Purpose
Identity-based policy User, group, or role Grants permissions to an IAM identity.
Resource-based policy AWS resource Grants access directly on a resource, such as an S3 bucket policy.
Permissions boundary User or role Sets the maximum permissions an identity can receive.
Service Control Policy AWS Organization or OU Sets maximum permissions for accounts in AWS Organizations.
Session policy Temporary session Limits permissions for a temporary session.
Exam Tip: SCPs and permissions boundaries do not grant permissions by themselves. They only limit maximum permissions.

4. IAM Policy Basics

IAM policies are written as JSON documents. They contain one or more statements that define whether specific actions are allowed or denied.

Main IAM Policy Elements

Element Meaning
Effect Allow or Deny.
Action The AWS API action, such as s3:GetObject or ec2:StartInstances.
Resource The AWS resource ARN the policy applies to.
Principal The user, role, account, or service allowed or denied access. Used in resource-based policies.
Condition Optional rules that must be true for the permission to apply.

Example IAM Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::example-bucket/*"
    }
  ]
}
Exam Tip: The Principal element is used in resource-based policies, not normal identity-based permissions policies.

5. IAM Policy Evaluation Logic

AWS evaluates policies to decide whether a request should be allowed or denied. Understanding this logic is very important for the SAA-C03 exam.

Access Decision Order

  1. By default, all requests start with an implicit deny.
  2. An explicit allow can allow access.
  3. Permissions boundaries, SCPs, and session policies can limit access.
  4. An explicit deny always overrides any allow.
Rule Result
No matching allow Denied by default.
Matching allow Allowed, unless limited by another policy.
Explicit deny Always denied.
Exam Tip: Explicit deny always wins, even if another policy explicitly allows the action.

6. IAM Access Analyzer

IAM Access Analyzer helps identify AWS resources that are shared with external entities, such as another AWS account or an identity outside your AWS Organization.

It analyzes resource-based policies and generates findings when it detects external access. This helps security teams find unintended access to resources before it becomes a bigger problem.

Resources IAM Access Analyzer Can Check

Resource Type Example Risk
S3 bucket External account can read or write objects.
IAM role Another account can assume the role.
KMS key External account can use the key.
Lambda function External account can invoke the function.
SQS queue External account can send or receive messages.
Secrets Manager secret External account can access sensitive secrets.
Exam Tip: Use IAM Access Analyzer when the question asks how to detect resources shared outside your AWS account or AWS Organization.

7. IAM Identity Center

IAM Identity Center helps you centrally manage access to multiple AWS accounts and applications. It is useful in organizations where many users need access to different AWS accounts.

Main Concepts

Concept Meaning
Users People who need access to AWS accounts or applications.
Groups Collections of users with similar job roles.
Permission Sets Reusable permission templates assigned to users or groups.
AWS Access Portal The portal users use to access assigned AWS accounts and applications.
Exam Tip: Use IAM Identity Center for centralized workforce access across multiple AWS accounts.

IAM Exam Checklist

  • Know the difference between IAM users, groups, and roles.
  • Use IAM roles for AWS services and temporary credentials.
  • Understand identity-based vs resource-based policies.
  • Know that explicit deny overrides allow.
  • Know that permissions boundaries and SCPs limit permissions but do not grant them.
  • Use IAM Access Analyzer to detect external resource access.
  • Use IAM Identity Center for centralized multi-account access.
  • Always apply least privilege.

Practice IAM Now

After reading this deep dive, test your knowledge with the IAM quiz and then try a full AWS SAA-C03 practice exam.

Take IAM Quiz Start Practice Exam Back to Service Deep Dives

Post a Comment

0 Comments