Core concept

Policies: JSON. Statement with Effect (Allow/Deny), Action, Resource, Condition. Least privilege principle.

Advertisement

How it works

Roles for services (EC2, Lambda). STS AssumeRole for cross-account. SCP at organization for guardrails.

Advertisement

Trade-offs + gotchas

Everything. IAM Access Analyzer finds unused perms. IAM Identity Center for user federation. Sensible defaults + drift detection.