Effective IAM for AWS

About this guide

About this guide

Effective IAM with Amazon Web Services is for engineers with practical responsibility for securing AWS cloud deployments. These practitioners actually create and review security policies for applications and infrastructure. They often define security architecture, sometimes unknowingly. They usually have titles like Cloud, DevOps, Site Reliability, and Cloud Security Engineer or Architect. Whatever their titles, these people feel the weight of responsibility to secure AWS deployments and the pain of AWS IAM’s complexity.

And it's heavy.

‘Identity’ is the system you use to authenticate users and authorize them access to the AWS services and data needed to do their job. Engineers manage access to Cloud resources using the AWS Identity and Access Management service, AWS IAM.

But effective identity management is hard and getting harder.

AWS identity security is complex, the number of IAM identities are increasing, and Cloud deployments change quickly.

If you struggle to deliver effective AWS security policies or you find yourself staring at an incoherent mess of security policies in many accounts, this book is for you.

This book will help you understand why AWS IAM is hard and how to leverage IAM’s best features to secure apps & data continuously. It will help you design, develop, review, and deliver better AWS security policies, quickly and confidently.

What this guide is and what you will learn

This guide describes a practical strategy and tactics to simplify the incredibly powerful and complex AWS IAM service into something your whole organization can use safely.

You will learn how to:

  • solve difficult security problems using the best parts of AWS IAM
  • simplify AWS IAM into a set of secure infrastructure code building blocks to deliver changes quickly
  • verify AWS IAM security policies protect resources as intended
  • secure IAM continuously at any scale

What you need to know

Effective IAM is written for people who:

  • use Amazon Web Services
  • develop or review IAM security policies frequently
  • must protect data and implement access controls, particularly 'least privilege'
  • use infrastructure code tools and libraries to automate configuration

These activities are painful in many organizations and this book will help you get the job done. If you don't perform these activities directly, you will learn how to work with those who do or even decide to join them.

What this guide will not cover

This guide does not cover all of AWS Security or even all of IAM. That scope is entirely too large for a practitioner's guide and dulls the focus needed to build effective IAM implementations.

Effective IAM will not cover:

Those topics are all important, but complementary to a solid IAM foundation. This guide will help you design and implement IAM so that you can do each of those better.

We'll describe what the interfaces of infrastructure code libraries should look like so they are usable by non-experts and composable into delivery pipelines. We'll point to the best implementations of these ideas.

Additionally, we'll show how well-architected IAM integrates with and improves AWS network security, auditing, and incident response.

Why I'm a relevant source of advice

My name is Stephen Kuenzli and I have built, delivered, and operated applications and infrastructure for more than 20 years in high tech manufacturing, banking, and ecommerce. I have a B.S. in System Engineering and am always working on the bottleneck constraining delivery.

In 2014, I went all-in on delivering applications using infrastructure code, Docker containers, and Cloud - specifically AWS. I led several large migrations to AWS using those technologies as an architect and implementer. Those migrations succeeded, but the hardest part was always getting security right, particularly IAM.

No one understood how to create good IAM security policies for people and applications, verify they work as expected, and deliver changes at the speed of continuous delivery.

I interviewed more than 50 other practitioners (so far) and found they have similar problems.

In 2019, I launched k9 Security to solve those problems and make AWS IAM usable for Cloud teams. k9 helps many Cloud teams deliver apps securely with usable automation and insightful IAM access audits. But this guide is not a product pitch. Instead I'll share insights into the problems at the intersection of AWS IAM, infrastructure code, and continuous delivery that frustrate so many Cloud teams and proven solutions to those problems regardless of which tools you use.

Let's go fast, safely.


I would like to thank the many people who generously helped this book:

Jen Kuenzli, whose incredible support makes my work possible.

The customers and colleagues who inspired and motivated this work.

The reviewers whose feedback made this book much better, particularly:

Sebastian Castro, who used his graphics skills to help me communicate clearly.

The Cloud Security and DevOps communities for working in the open and looking for better ways of working.

Amazon Web Services for building a wonderful, sometimes bewildering, machine.

Everyone who gave me the opportunities to get to this point.

Thank you.

Edit this page on GitHub