AWS IAM

Who can do what — identities, roles, and policies.

📖 Official AWS documentation ↗📰 Official AWS blog ↗

What is it?

The global identity and access service: users, groups, roles, and JSON policies that allow or deny every API action across AWS, with roles providing temporary credentials for services and workloads.

💡 Why does it exist?

AI systems concentrate sensitive data (training sets, prompts, model outputs). Least-privilege access is the first control every audit checks — and the difference between an incident and a breach.

⏱️ When should you use it?

Always. For AI specifically: scope SageMaker execution roles to exact S3 prefixes, restrict who may invoke Bedrock models, and never embed long-lived keys in code — use roles.

🗺️ Where does it fit?

Beneath everything: every call from a notebook, Lambda, or endpoint is authorised by IAM before any service logic runs.

🔌 How do you integrate it?

Create roles with trust policies for services, attach least-privilege permission policies, enforce MFA for humans, and audit with IAM Access Analyzer.

🧩 Commonly integrated with

Every AWS serviceAWS KMSAWS CloudTrailIAM Identity Center

🎯 Exam angle (AIF-C01)

📚 Study it in a learning path

SCS-C03Security Engineering on AWSFlashcards, notes & quizzes covering this service →CLF-C02AWS Cloud PractitionerFlashcards, notes & quizzes covering this service →AIF-C01AWS AI PractitionerFlashcards, notes & quizzes covering this service →SAA-C03Architecting on AWSFlashcards, notes & quizzes covering this service →

More in Security & Governance

AWS KMSAmazon MacieAWS CloudTrailAmazon CloudWatch