100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

AWS IAM Deep Dive Cheat Sheet

AWS IAM Deep Dive Cheat Sheet

Reference for IAM users, roles, policies, and permission boundaries used to secure access to AWS resources.

2 PagesIntermediateFeb 8, 2026

IAM Policy Document

Standard structure of an identity-based policy.

json
{  "Version": "2012-10-17",  "Statement": [    {      "Sid": "AllowS3ReadOnly",      "Effect": "Allow",      "Action": ["s3:GetObject", "s3:ListBucket"],      "Resource": [        "arn:aws:s3:::my-bucket",        "arn:aws:s3:::my-bucket/*"      ],      "Condition": {        "StringEquals": {"aws:RequestedRegion": "us-east-1"}      }    }  ]}

Role Trust Policy

Allows an EC2 instance to assume a role.

json
{  "Version": "2012-10-17",  "Statement": [    {      "Effect": "Allow",      "Principal": {"Service": "ec2.amazonaws.com"},      "Action": "sts:AssumeRole"    }  ]}

CLI: Users, Roles & Policies

Common IAM management commands.

bash
aws iam create-user --user-name janeaws iam create-role --role-name my-role \  --assume-role-policy-document file://trust-policy.jsonaws iam attach-role-policy --role-name my-role \  --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessaws iam list-attached-user-policies --user-name janeaws iam create-access-key --user-name janests assume-role would use: aws sts assume-role --role-arn arn:aws:iam::123456789012:role/my-role --role-session-name session1

Core Concepts

Key core concepts to know.

  • User- Long-term identity for a person or application with credentials
  • Role- Temporary identity assumed by users, services, or federated identities
  • Policy- JSON document defining allowed/denied actions on resources
  • Managed vs Inline Policy- Managed policies are reusable/standalone; inline policies are embedded in one identity
  • Permission Boundary- Sets the maximum permissions an identity can ever have, regardless of attached policies
  • Least Privilege- Grant only the exact permissions required, nothing more

Policy Evaluation Logic

Key policy evaluation logic to know.

  • Explicit Deny- Always wins over any Allow, in any policy
  • Default Deny- All requests are denied unless explicitly allowed
  • SCP (Org level)- Service Control Policies set the max permissions across an AWS Organization
  • Resource Policy- Attached to the resource itself (e.g. S3 bucket policy), evaluated alongside identity policies
Pro Tip

Use IAM Access Analyzer to detect resources shared with external entities and to generate least-privilege policies from actual CloudTrail activity instead of guessing required permissions.

Was this cheat sheet helpful?

Explore Topics

#AWSIAMDeepDive#AWSIAMDeepDiveCheatSheet#CloudComputing#Intermediate#IAMPolicyDocument#RoleTrustPolicy#CLI#Users#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Share this Cheat Sheet