Cloud Identity: IAM Roles and Service Accounts
Configure least-privilege IAM roles and service accounts in cloud platforms and avoid common mistakes like wildcard permissions and long-lived keys.
Cloud Identity Fundamentals
In cloud environments, identity is the new perimeter. Every action — starting a VM, reading a database, calling an API — is authorized based on the calling identity. Cloud IAM (Identity and Access Management) systems define who can do what on which resources. Unlike on-premises environments where network location provided implicit trust, cloud IAM treats every request as requiring explicit authorization regardless of where it originates.
Users, Groups, and Roles in AWS IAM
AWS IAM has three primary identity types. IAM Users represent individual humans or applications with long-term credentials (access key + secret key). IAM Groups bundle users and assign shared permissions. IAM Roles are identities with temporary credentials that can be assumed by users, AWS services (EC2, Lambda), or other accounts. Roles are preferred over long-term access keys because their credentials expire automatically, reducing the risk of credential exposure.
# IAM role trust policy — allows EC2 to assume this role
{
'Version': '2012-10-17',
'Statement': [{
'Effect': 'Allow',
'Principal': { 'Service': 'ec2.amazonaws.com' },
'Action': 'sts:AssumeRole'
}]
}
# EC2 instance with this role attached can call AWS APIs
# using temporary credentials from the instance metadata serviceAll lessons in this course
- Shared Responsibility Model: IaaS, PaaS, SaaS
- Cloud Storage Security and Data Exposure Risks
- Cloud Identity: IAM Roles and Service Accounts
- Cloud Security Posture Management (CSPM)