How IAM Works in AWS? – Explained

As we know, IAM manages authentication and authorization for your account in AWS. So we need to understand how it works as part of infrastructure security necessity. We need to understand following topics in this blog.

  • Principal
  • Request
  • Authentication
  • Authorization
  • Actions or Operations
  • Resources

AWS IAM has few terms to be acquainted with such as Resources, Identities, Entitles and Principals.


An user, role or person could be a principal. A principal could perform specific actions or operation on AWS resources. Also principal is said to be a root user which has full privilege on all resources in AWS.


Principal sends a request via Console, CLI or SDK to AWS by specifying the type of action to be performed on resources. The request information could be of environment data such as IP addresses, SSL status or resource data such as tag name or dynamo table name information.


For authentication, the principal must need to confirm the identity using credentials or keys to access the resources in AWS. There are various ways for authentication such as

  • Authentication from console would be done via root user using primary email address sign-in.
  • Authentication from IAM user would be done via alias, user id and password sign-in.
  • Authentication from CLI or SDK would be done via AWS access keys and secret keys.


The authorization in IAM is approved only when the request is completed. When a request is initiated, AWS takes input values from the request context and first search for policies that matches the request for authorization and then uses the policy to determine whether to allow or deny the request.

The policy determines the type of permissions for principal. There are several types of policies such as identity-based policy and resource-based policy.

Identity-based policy is to provide users with permission on resources in the same AWS account.

Resource-based policy is known for cross-account access.

A policy contains different sections to evaluate whether the incoming request should be allowed or denied. If your policy permission contains deny, then AWS denies the entire request which is called as explicit deny. AWS authorizes the request only when every part of the request is allowed by the policy permission. Otherwise, AWS denies all request by default. The evaluation of a request in a single AWS account follows below

  • By default, all requests are denied by AWS.
  • An explicit allow in any permission policy
  • An explicit deny in any policy overrides any allows.

Actions or Operations

AWS approves the actions only when the request is authorized and authenticated. The actions or operations are performed on resource level. AWS supports various IAM actions such as CreateUser, DeleteUser, GetUser, UpdateUser etc.


It allows you to perform set of actions on resources within your AWS account. Any unrelated action to a resource would be denied by AWS.

Please comment below for any questions related to this blog.

Leave a Reply