Securing AWS Resources with IAM: Identity-Based Policies, Actions, and Permissions Flow
DOI:
https://doi.org/10.63282/3117-5481/AIJCST-V4I4P102Keywords:
AWS IAM, Identity-Based Policies, Resource-Based Policies, Actions And Permissions, Least Privilege, Explicit Deny, Permission Boundaries, Session PoliciesAbstract
Amazon Web Services (AWS) Identity and Access Management (IAM) is the control plane for who can do what on which resources. This paper clarifies how identity-based policies attached to users, groups, and roles govern actions, and how AWS evaluates permissions by merging multiple policy sources. We explain the evaluation sequence starting from an implicit deny, layering identity-based allows, checking resource-based policies (where applicable), then enforcing explicit denies, permission boundaries, session policies, and organization-level Service Control Policies (SCPs). The discussion distinguishes identity-based from resource-based authorization, highlights the role of AWS STS in issuing temporary credentials, and shows how conditions (including tags for ABAC) shape least-privilege access at scale. We map common verbs (List, Read, Write, Permissions management, Tagging) to service actions and illustrate cross-account access with role assumption and external IDs. Operational guidance covers guardrails and verification: designing minimal, scoped policies; using permission boundaries for delegated administration; applying SCPs to constrain accounts; and validating with IAM Access Analyzer, Access Advisor, and CloudTrail. We also address advanced topics MFA enforcement, session tagging, and break-glass patterns and provide a practical troubleshooting flow for AccessDenied errors. By unifying conceptual models with a step-by-step permissions flow, readers can design predictable, auditable access, reduce blast radius, and accelerate safe delivery on AWS
References
[1] Garfinkel, S. L. (2011). Design Principles and Patterns for Cloud Security. IEEE Cloud Computing, 1(1). — Discusses identity and access control patterns in cloud platforms, focusing on federated authentication and role-based permission flow.
[2] Daws, C., & Jansen, W. (2012). Access Control Mechanisms for Cloud Computing. NIST Special Publication 500-299. — Presents models for enforcing identity-based policies and secure user actions in multi-tenant cloud environments such as AWS.
[3] Jin, X., Krishnan, R., Sandhu, R. S., & Ahn, G. J. (2012). Role-Based Access Control Models for Cloud Computing. Computer, 45(2), IEEE. — Explains how RBAC and IAM frameworks can be extended for fine-grained permission flow across virtualized resources.
[4] Takabi, H., Joshi, J. B. D., & Ahn, G. J. (2010). Security and Privacy Challenges in Cloud Computing Environments. IEEE Security & Privacy, 8(6), 24–31. — Early foundational work that highlights access management, trust delegation, and policy enforcement in cloud ecosystems.
[5] Popa, R. A., Zeldovich, N., & Kaashoek, M. F. (2011). How to Protect Cloud Applications with Encrypted Data. USENIX Security Symposium. — Provides a cryptographic approach to safeguarding identity-linked actions and authorization in cloud workflows.
[6] Hu, V. C., Ferraiolo, D. F., Kuhn, R., et al. (2014). Guide to Attribute Based Access Control (ABAC) Definition and Considerations. NIST Special Publication 800-162. — Defines ABAC, the logical model underpinning AWS IAM’s identity-based access management.
[7] Ferraiolo, D. F., Kuhn, R., & Chandramouli, R. (2017). Attribute-Based Access Control. Artech House. — Provides a theoretical and implementation basis for modern IAM policies.
[8] Wu, Y., Shao, W., & Zhang, W. (2013). Access Control as a Service in Cloud: Challenges and Strategies. IEEE Transactions on Cloud Computing, 1(1), 1-13. — Describes service-oriented access control mechanisms compatible with AWS-like IAM models.
[9] Chandramouli, R., & Ferraiolo, D. F. (2016). Managing Access Control in Cloud Systems with Attribute-Based Models. Journal of Information Security, 7(2), 70-85. — Discusses ABAC adaptation for large-scale multi-tenant infrastructures.
[10] Almorsy, M., Grundy, J., & Müller, I. (2016). An Analysis of the Cloud Computing Security Problem. IEEE Software, 33(2), 38-44. — Examines access control and policy enforcement in distributed clouds.
[11] Gietzen, S. (2017). AWS IAM Privilege Escalation – Methods and Mitigation. Rhino Security Labs Technical Report. — Real-world study of IAM misconfigurations and privilege flows
[12] Designing LTE-Based Network Infrastructure for Healthcare IoT Application - Varinder Kumar Sharma - IJAIDR Volume 10, Issue 2, July-December 2019. DOI 10.71097/IJAIDR.v10.i2.1540
[13] Baiyu Liu, Abhinav Palia, Shan-Ho Yang. (2018) A Scalable Permission Management System With Support of Conditional and Customized Attribute .
[14] Liu, B., Palia, A., & Yang, S.-H. (2018). A Scalable Permission Management System With Support of Conditional and Customized Attributes. arXiv preprint arXiv:1804.06044. — Presents a scalable ABAC-style system similar to AWS IAM, with conditional/custom attributes.
[15] Thallam, N. S. T. (2021). Privacy-Preserving Data Analytics in the Cloud: Leveraging Homomorphic Encryption for Big Data Security. Journal of Scientific and Engineering Research, 8(12), 331-337.
[16] Krishna Chaitanaya Chittoor, “Architecting Scalable Ai Systems For Predictive Patient Risk”, INTERNATIONAL JOURNAL OF CURRENT SCIENCE, 11(2), PP-86-94, 2021, https://rjpn.org/ijcspub/papers/IJCSP21B1012.pdf
[17] The Role of Zero-Emission Telecom Infrastructure in Sustainable Network Modernization - Varinder Kumar Sharma - IJFMR Volume 2, Issue 5, September-October 2020. https://doi.org/10.36948/ijfmr.2020.v02i05.54991
[18] Thallam, N. S. T. (2020). The Evolution of Big Data Workflows: From On-Premise Hadoop to Cloud-Based Architectures.
[19] Reinforcement Learning Applications in Self Organizing Networks - Varinder Kumar Sharma - IJIRCT Volume 7 Issue 1, January-2021. DOI: https://doi.org/10.5281/zenodo.17062920
