AWS IAM & Biling Alerts

What is IAM ?

IAM stands for Identity and Access Management.
It is a security service in AWS that helps you control who can do what in your AWS environment.

In short,

IAM lets you manage users, groups, roles, and permissions securely.

Why is IAM Important?

Imagine you have multiple people or systems accessing your AWS account. You wouldn’t give everyone the root account credentials, right?

IAM lets you:

• Create individual users or roles
• Give them only the permissions they need (principle of least privilege)
• Control access to specific AWS services and resources

Key Components of IAM:

1. Users

• Represents a person or an application.
• Has credentials (username/password or access keys).
• Can be assigned permissions directly or via groups.

2. Groups

• A collection of users.
• You assign permissions to the group, and all users in that group inherit them.
• Example: A “Developers” group may have EC2 and S3 access.

3. Roles

• An identity with no credentials.
• Used for temporary access.
• Commonly used by:
  • AWS services (e.g., EC2 accessing S3)
  • Federated users (e.g., SSO from Active Directory)
  • Cross-account access

4. Policies

• JSON documents that define permissions.
• You attach policies to users, groups, or roles.
• Example:

{
  "Effect": "Allow",
  "Action": "s3:ListBucket",
  "Resource": "arn:aws:s3:::my-bucket"
}

What Can IAM Do ?

Delegate Access to the Billing Console

AWS account owners can delegate access to specific IAM users that need to access or manage the AWS Billing and Cost Management data for an AWS account.

The process of delegating access to the billing console consists of four key steps:

Billing Alerts

Users can set up an alert to receive e-mail notifications when estimated charges reach a specific threshold.