← Back to Labs Gold Foundation

AWS · Identity · Foundation

AWS IAM Basics

Foundation LAB for AWS identity evaluation, least privilege, policies, roles, and interview-ready cloud security reasoning.

Status Gold
Cloud AWS
Domain Identity
Level Foundation

Overview

This starter lab explains how AWS IAM governs requests across users, roles, policies, services, and resources. It emphasizes reasoning, not console memorization.

Foundation Identity-first Interview-ready No live mutation

Concept Deep Dives

Expand these foundation concepts before moving into L2 policy evaluation.

What is an IAM principal?

A principal is any identity that can make a request to AWS, such as a user, role, service, or federated identity. Every authorization decision starts by asking who is making the request.

What is an IAM policy?

A policy is a document that describes allowed or denied actions. Policies do not grant access by existing alone; they must be attached to a relevant identity, resource, boundary, session, or organization guardrail.

What is an IAM role?

A role is an assumable identity with permissions. Roles are commonly used by AWS services, applications, federated users, and cross-account workflows.

What does least privilege mean?

Least privilege means giving an identity only the permissions required for its job, for only the resources and contexts where those permissions are needed.

Core Concepts

Principals

Users, roles, services, and federated identities that make requests.

Policies

Documents that define allowed or denied actions.

Roles

Temporary authority boundaries assumed by trusted principals or services.

Evaluation

IAM combines identity policy, resource policy, boundaries, SCPs, and explicit deny.

Learning Outcomes

  • Explain how IAM request evaluation works
  • Differentiate users, groups, roles, and policies
  • Recognize least-privilege design patterns
  • Prepare for advanced AWS identity escalation labs

Future Expansion

This foundation lab anchors future AWS Principal LABs such as cross-account role escalation, iam:PassRole escalation, and role chaining.

Starter/foundation labs do not claim Shield findings or Aegis Runtime signals until those integrations are explicitly built.

Governance Boundary

  • Does not mutate cloud infrastructure
  • Does not execute remediation
  • Does not simulate customer compromise
  • Does not claim Shield or Aegis linkage unless explicitly mapped

Source Artifacts

metadata.jsonLab identity and maturity metadata
index.htmlRendered starter lab page