AWS IAM
Who can do what — identities, roles, and policies.
❓ What is it?
The global identity and access service: users, groups, roles, and JSON policies that allow or deny every API action across AWS, with roles providing temporary credentials for services and workloads.
💡 Why does it exist?
AI systems concentrate sensitive data (training sets, prompts, model outputs). Least-privilege access is the first control every audit checks — and the difference between an incident and a breach.
⏱️ When should you use it?
Always. For AI specifically: scope SageMaker execution roles to exact S3 prefixes, restrict who may invoke Bedrock models, and never embed long-lived keys in code — use roles.
🗺️ Where does it fit?
Beneath everything: every call from a notebook, Lambda, or endpoint is authorised by IAM before any service logic runs.
🔌 How do you integrate it?
Create roles with trust policies for services, attach least-privilege permission policies, enforce MFA for humans, and audit with IAM Access Analyzer.
🧩 Commonly integrated with
🎯 Exam angle (AIF-C01)
- Services assume ROLES; humans get users/SSO. "Application needs S3 access" → role, never access keys in code.
- SageMaker execution role scoping to specific buckets is the standard least-privilege scenario.