Why it matters
IAM misconfiguration is the top cloud security failure. Public S3 buckets, overly-permissive roles, hardcoded access keys — most cloud breaches are IAM mistakes.
The architecture
Users are permanent identities (human or service). They have long-lived credentials (access keys). Users are the most common source of breach because keys leak.
Roles are assumed identities with temporary credentials. Applications running on EC2 get credentials via instance profiles. Federated users assume roles via SAML/OIDC. Roles are safer than users because credentials are short-lived.
How it works end to end
Policies are JSON documents listing allowed and denied actions on resources. Attached to users, groups, or roles. Managed policies (AWS-provided) cover common cases; custom policies for specific needs.
STS (Security Token Service) issues temporary credentials for assumed roles. Expiry is typically 1 hour, configurable up to 12 hours.
Permission boundaries limit the maximum permissions a role can have, even if additional policies grant more. Used to delegate role management safely.