← Back to AWS practitioner Certification
🌐 AWS practitioner Certification

🔐 AWS Identity and Access Management (IAM)

📅 Apr 15, 2026

AWS SECURITY — IDENTITY MANAGEMENT

🔐 AWS Identity and Access Management (IAM)

AWS भित्र कोले (Who) के (What) गर्न पाउँछ भनेर control गर्ने service।

👉 IAM = Who can do What 🎯

🧠 BIG PICTURE — पहिले यो बुझ्नुस्

IAM मा 4 वटा main entities छन् — User, Group, Role, Policy। यी चारको काम फरक छ।

👤 User
व्यक्ति		 👥 Group
टोली		 🎭 Role
Service/App		 📜 Policy
Permission Rule

👤 1. IAM User

व्यक्ति वा application को individual identity

📖 सजिलो भाषामा:

जसरी Facebook account एउटा व्यक्तिको हुन्छ — IAM User पनि एउटा व्यक्ति वा application को permanent account हो। Username र Password आफ्नै हुन्छ।

🔑 User सँग हुन सक्छ:

Username + Password → Console (Browser) login

Access Key ID + Secret Access Key → CLI/API login

🧠 Examples:

DevOps engineer  •  Developer  •  Application script

🎯 Exam Clue:

"Permanent Access Key" वा "Console Login" → IAM User

👥 2. IAM Group

धेरै user लाई एउटै permission दिने तरिका

📖 सजिलो भाषामा:

School मा "Science Class" भनेजस्तै — एउटा group बनाउने, त्यो group लाई permission दिने, अनि जो-जो developer छन् ती सबैलाई त्यो group मा थप्ने। एक-एकजनालाई permission दिनु पर्दैन।

🔑 Key Points:

▸ Group मा Access Key हुँदैन — login गर्न मिल्दैन

▸ Group मा Policy attach हुन्छ

▸ Group भित्र Group हुँदैन (nested group allowed छैन)

🧠 Example:

Developers group → 10 जना developer लाई same EC2 permission

🎯 Exam Clue:

"Group मा login हुँदैन" — Group मा directly access होइन, User मार्फत हुन्छ

🎭 3. IAM Role

Services र applications लाई temporary access दिने

📖 सजिलो भाषामा:

Visitor pass जस्तो — कोही office आउँदा temporary ID card दिइन्छ। काम सकिएपछि त्यो card expire हुन्छ। Role ले पनि यस्तै temporary credential दिन्छ, permanent होइन।

🔑 Key Points:

▸ Role मा permanent Access Key हुँदैन

Temporary credentials generate हुन्छ (STS)

▸ Directly login हुँदैन — assume गरिन्छ

Best practice for EC2, Lambda, Cross-account

🧠 Examples:

EC2 → S3 access  •  Lambda → DynamoDB  •  Cross-account

🎯 Exam Clue:

"EC2 needs S3 access" / "Temporary credential" / "Service to service" → IAM Role

📜 4. IAM Policy

Permission define गर्ने JSON document

📖 सजिलो भाषामा:

Rule book जस्तो — "यो काम गर्न पाइन्छ, यो गर्न पाइँदैन" भन्ने लेखिएको document। Policy नै नभइकन User, Group, Role लाई केही permission हुँदैन।

🔑 Key Points:

▸ JSON format मा लेखिन्छ

Allow वा Deny action define गर्छ

▸ User, Group, Role मा attach हुन्छ

Explicit Deny ले सधैं जित्छ (Allow भए पनि)

🧠 Example JSON structure:

"Effect": "Allow"
"Action": "s3:GetObject"
"Resource": "*"

🎯 Exam Clue:

"Permission document" / "JSON" / "Allow or Deny" → IAM Policy

🔑 Login Types — Console vs Programmatic
Login Type के चाहिन्छ? कसले use गर्छ?
🌐 Console Login Username + Password (+ MFA optional) Browser बाट human login
💻 Programmatic Login Access Key ID + Secret Access Key CLI, SDK, Script बाट login

📊 4 Entities Quick Comparison
Entity Console Login? Access Key? Credential Type Used By
👤 User ✔ Yes ✔ Yes (Permanent) Username+Pass / Access Key Human / Application
👥 Group ✘ No ✘ No None (container only) User management
🎭 Role ✘ Direct No ⚡ Temporary Temporary credentials (STS) EC2, Lambda, Services
📜 Policy ✘ No ✘ No None (rule document) Attached to User/Group/Role

⚠ CONFUSION BUSTER — Role vs User (यो गल्ती नगर्नुस्)

  IAM User IAM Role
Key Type Permanent Access Key Temporary credential (expire हुन्छ)
EC2 मा राख्दा ❌ Bad practice — key चोरिन सक्छ ✔ Best practice — Role attach गर्नुस्
Use case Human developer, scripts AWS services, cross-account

❓ MCQ Practice — Exam Style
Question Answer
Q1. Access Key ID र Secret Access Key कुन IAM entity सँग permanently attached हुन्छ?
A) Group   B) Role   C) User   D) Policy		 C ✔
IAM User
Q2. Temporary credentials generate गर्ने IAM entity?
A) User   B) Role   C) Group   D) Policy		 B ✔
IAM Role
Q3. EC2 instance लाई S3 access दिनको best practice?
A) User with Access Key   B) Group   C) Role   D) Root Account		 C ✔
IAM Role
Q4. कुन IAM entity मा directly login गर्न सकिँदैन?
A) User   B) Group   C) Root Account   D) All		 B ✔
IAM Group
Q5. AWS Console मा browser बाट login गर्न के चाहिन्छ?
A) Access Key ID   B) Secret Key   C) Username+Password   D) Role		 C ✔
Username + Password

🇳🇵 Nepali Scenarios — Real Examples
Scenario Need Solution
👨‍💻 Developer Access Console + CLI दुवै access IAM User → Username+Pass + Access Keys
🖥 EC2 → DynamoDB EC2 app लाई DB access, no hardcode key IAM Role → EC2 मा attach
👥 10 Developers Team Same permission, easy manage IAM Group → Policy attach → Users थप्नुस्

⚡ FINAL EXAM CHEATSHEET — 5 Second Answer
Question मा यो keyword Answer किन?
Permanent Access Key / Username+Password IAM User Individual permanent identity
Temporary credential / EC2 needs access / Service to service IAM Role Temporary + no permanent key
Multiple users / Same permission / Team IAM Group User container — login हुँदैन
Permission document / Allow Deny / JSON IAM Policy Rules define गर्छ — login होइन
← Back to AWS practitioner Certification