Skip to main content
HashnodeLazyStack

Command Palette

Search for a command to run...

Securing an AWS Account the DevOps Way: IAM Best Practices (Hands-On Project)

Published
4 min read
Securing an AWS Account the DevOps Way: IAM Best Practices (Hands-On Project)
O
Omkar Pinjarkar

When most beginners start learning AWS, they jump straight into EC2, deployments, or CI/CD.
In real-world DevOps, that approach is dangerous.

Before running even a single server, the first responsibility of a DevOps engineer is security and on AWS, that starts with IAM (Identity and Access Management).

In this blog, I’ll walk you through how I secured an AWS account using IAM best practices, backed by a hands-on project where an EC2 instance accesses AWS services without using access keys.

This is Project 1 of my AWS DevOps journey.

Why IAM Is the Foundation of DevOps on AWS

IAM defines:

  • Who can access your AWS account

  • What actions they can perform

  • How AWS services interact with each other

A small IAM misconfiguration can lead to:

  • Credential leaks

  • Accidental deletion of resources

  • Massive and unexpected AWS bills

That’s why IAM is always the first step in any production-grade AWS or DevOps setup.

Step 1: Securing the Root User

The root user has unrestricted access to the AWS account.

What I implemented

  • Logged in using the root user

  • Enabled Multi-Factor Authentication (MFA)

  • Restricted root usage to:

    • Billing

    • Account recovery

    • Emergency scenarios only

DevOps best practice

The root user should never be used for daily operations.

This single step drastically reduces the blast radius of a security breach.

Step 2: Creating an IAM Admin User for Daily Operations

Instead of using root, I created a dedicated IAM user for administrative work.

IAM Admin User

  • Username: devops-admin

  • Access: AWS Console + Programmatic

  • Permissions: AdministratorAccess

This user is used for all daily DevOps activities, following AWS recommended practices.

Step 3: Implementing RBAC Using IAM Groups

Rather than attaching permissions directly to users, I implemented Role-Based Access Control (RBAC) using IAM groups.

Groups created

GroupPermissions
AdminsAdministratorAccess
DevelopersAmazonEC2ReadOnlyAccess
InternsAmazonS3ReadOnlyAccess

Why this matters

  • Simplifies permission management

  • Reduces the chance of misconfiguration

  • Mirrors how real DevOps teams manage access

Step 4: Using IAM Roles for EC2 (Critical DevOps Concept)

One golden rule in DevOps security is:

Never store AWS access keys on servers.

To follow this principle, I created an IAM Role specifically for EC2.

Role details

  • Role Name: EC2-S3-Read-Only-Role

  • Policy: AmazonS3ReadOnlyAccess

With IAM roles:

  • No long-term credentials are stored

  • AWS automatically provides temporary credentials

  • Security risks are drastically reduced

This is how production systems are designed.

Step 5: Validating IAM Role Access from EC2

After launching an Ubuntu EC2 instance with the IAM role attached, I validated the setup.

Installing AWS CLI on Ubuntu

AWS CLI is not pre-installed on Ubuntu EC2 instances.
The AWS-recommended approach is:

sudo snap install aws-cli --classic

Verifying role assumption

aws sts get-caller-identity

This confirmed that:

  • The EC2 instance successfully assumed the IAM role

  • No IAM user credentials were configured on the server

Testing S3 access

aws s3 ls

The command executed successfully using IAM role-based authentication.
If no S3 buckets exist, an empty output is still a valid success.

Security Best Practices Applied

  • Root user protected with MFA

  • No access keys stored on EC2

  • IAM roles used for service-to-service access

  • Least privilege permissions applied

  • Policies attached to groups, not individual users

Common IAM Mistakes This Project Avoids

  • Using root user for daily tasks

  • Running aws configure on EC2

  • Hardcoding AWS credentials on servers

  • Granting excessive permissions to IAM users

Avoiding these mistakes already places you ahead of many beginners.

What This Project Demonstrates

This project proves:

  • Real-world DevOps IAM workflow

  • Production-grade AWS security mindset

  • Hands-on understanding beyond tutorials

  • Interview-ready AWS IAM knowledge

Project Documentation

Complete hands-on documentation, commands, and architecture details are available on GitHub:
👉 Link

Final Thoughts

IAM is not just another AWS service.
It is the security backbone of DevOps on AWS.

If IAM is designed correctly:

  • Everything else becomes safer

  • Operations become easier

  • Scaling becomes predictable

This project establishes a strong foundation for all future AWS and DevOps work.

What’s Next

Project 2: IAM Role vs IAM User on EC2 – a real-world security comparison.

If you’re also learning DevOps, feel free to connect with me on LinkedIn and follow my journey as I build production-ready AWS projects step by step.

#aws#iam#linux

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

LazyStack

18 posts