Built.io Blog

The power of Identity Access Management policies and roles in Amazon Web Services


Identity and Access Management (IAM) is a system Amazon uses to manage access to various Amazon Web Services (AWS) services and resources. Effective usage of IAM can allow AWS administrators to restrict users to a specific region or resource for a specific service.

(Note: This article expects users to have basic knowledge of IAM.)

What is ARN?

Amazon Resource Name (ARN) uniquely identifies AWS resources. Each AWS resource, whether it is an EC2 instance, an EBS volume or an Auto-Scaling group, has an ARN associated with it. Most of AWS services support resource-level permissions based on ARNs in IAM policies. You can permit different actions, like stopping, starting or terminating specific EC2 instances.

IAM Policies

An IAM policy document is a JSON object. Let’s take a look at an actual policy document:

Use case

Allow EC2 termination for specific instances.

            "Sid": "Stmt1437464989000",
            "<strong>Effect</strong>": "Allow",
            "<strong>Action</strong>": [
            "<strong>Condition</strong>": {
                "StringEquals": {
                    "ec2:ResourceTag/Name": "my-instance"
            "<strong>Resource</strong>": [
  1. Effect: This states whether the listed actions are allowed or denied.
  2. Action: This represents the number of actions either allowed or denied.
  3. Condition: This is the section in the above policy that checks for all EC2 instances whose name is “my-instance” and grants the terminate action for them. All EC2 instances in an auto-scaling group can be configured to have the same “Name” tag. This condition block is very useful, if you want to grant permissions for all instances of an auto-scaling group.
  4. Resource: This is ARN, which in the above example refers to all EC2 instances of US-East-1 region of AWS account with ID 0123456789.

IAM Roles

The true power of IAM policies lies in IAM roles. When launching an EC2 instance an IAM role can be associated with it.

One way to deal with IAM permissions is to create an IAM user, create IAM policy with the necessary permissions, and then attach that IAM policy to the IAM user. This IAM user has an access key and secret key which are used to access different services.

For security reasons, if these access keys are exposed, then you should immediately recreate them. The IAM role is a solution to this issue. It is directly assigned to an EC2 instance and the necessary permissions are mentioned in that IAM role. This means that all required resources and services are accessible only from that EC2 instance. This entirely removes the need to share keys.

Having an IAM role is becoming the norm for all newly released AWS services like lambda and codedeploy.

I hope this post was useful and informative. We would love to hear your best practices, tips and tricks in the comments.

Subscribe to our blog