Full Stack • Java • System Design • Cloud • AI Engineering

IAM, Billing & Security Basics in AWS

Complete guide to AWS IAM, MFA, Users, Groups, Roles, Policies, Billing, Budgets, CloudTrail, Security Groups, Encryption, and AWS account security best practices.

Table of Contents

  1. Why Security Matters
  2. AWS Account Security Setup
  3. Root User
  4. Multi-Factor Authentication (MFA)
  5. IAM Overview
  6. IAM Users
  7. IAM Groups
  8. IAM Policies
  9. IAM Roles
  10. Access Keys
  11. IAM Best Practices
  12. AWS Billing
  13. AWS Budgets
  14. Billing Alerts
  15. Cost Explorer
  16. CloudTrail
  17. Security Groups
  18. Encryption Basics
  19. Spring Boot Security Example
  20. AWS Security Checklist
  21. Interview Questions
  22. Key Takeaways

1. Why Security Matters

Imagine your company deploys a Spring Boot banking application to AWS.

Without security:

  • Anyone can access production resources
  • Developers can accidentally delete databases
  • Billing costs can explode
  • Data breaches become possible
flowchart TB

A["AWS Account"]
--> B["Security"]
--> C["Billing Control"]
--> D["Monitoring"]
--> E["Production Applications"]

Security must be configured before creating any AWS resource.

2. AWS Account Security Setup

Recommended setup flow:

flowchart TB

A["Create AWS Account"]
--> B["Enable MFA"]
--> C["Create Admin IAM User"]
--> D["Create Groups"]
--> E["Attach Policies"]
--> F["Configure Billing Alerts"]
--> G["Enable CloudTrail"]

3. Root User

The root user is created when an AWS account is created.

Root User Permissions

flowchart LR

Root["Root User"]

Root --> Billing
Root --> Security
Root --> IAM
Root --> EC2
Root --> S3
Root --> RDS

The root user has unrestricted access.

Best Practice

❌ Do not use root user daily

✅ Create IAM users

✅ Enable MFA

4. Multi-Factor Authentication (MFA)

MFA adds a second layer of security.

Without MFA:

flowchart LR

Password --> Login

With MFA:

flowchart LR

Password --> MFA --> SecureLogin

Benefits:

  • Prevents account takeover
  • Protects privileged users
  • Required for production accounts

5. What is IAM?

IAM stands for Identity and Access Management.

IAM controls:

  • Authentication
  • Authorization
  • Access to AWS resources
flowchart LR

User --> IAM --> AWSResources

6. IAM Components

mindmap
  root((IAM))
    Users
    Groups
    Roles
    Policies

User

Represents a person or application.

Group

Collection of users.

Role

Temporary permissions.

Policy

Defines permissions.

7. IAM User

Example:

venu
john
admin
devops

Diagram:

flowchart TB

AWS["AWS Account"]

AWS --> User1["Developer"]
AWS --> User2["Admin"]
AWS --> User3["DevOps"]

8. IAM Group

Instead of assigning permissions individually:

flowchart TB

Group["Developer Group"]

Group --> Venu
Group --> John
Group --> Priya

Policy --> Group

Benefits:

  • Easier management
  • Consistent permissions

9. IAM Policy

Policies define permissions.

Example:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject"],
    "Resource": "*"
  }]
}

Policy Flow:

flowchart LR

User --> Group --> Policy --> Resource

10. IAM Role

Used for temporary access.

Example:

flowchart LR

EC2 --> IAMRole --> S3

Benefits:

  • No hardcoded credentials
  • Automatic rotation
  • More secure

11. IAM User vs IAM Role

IAM User IAM Role
Long-term identity Temporary identity
Human users AWS services
Passwords Temporary credentials

12. Access Keys

Used for:

  • AWS CLI
  • SDK
  • Automation
flowchart LR

AccessKey --> CLI

AccessKey --> SDK

AccessKey --> Automation

Never commit keys to GitHub.

13. AWS Billing

AWS uses pay-as-you-go pricing.

mindmap
  root((AWS Costs))
    EC2
    S3
    RDS
    Lambda
    Data Transfer

14. AWS Budgets

Budget Example:

Monthly Budget = $10
Alert = 80%
Alert = 100%

Diagram:

flowchart LR

Budget --> Alert80

Budget --> Alert100

15. Billing Alerts

flowchart LR

AWSCost

--> CloudWatch

--> SNS

--> Email

16. Cost Explorer

Analyze spending by:

  • Service
  • Region
  • Tags
  • Time
flowchart TB

CostExplorer

--> Service

--> Region

--> Tags

--> Time

17. CloudTrail

Records every AWS API call.

sequenceDiagram

participant User
participant AWS
participant CloudTrail

User->>AWS: Create EC2
AWS->>CloudTrail: Log Event

18. Security Groups

Security Groups act like firewalls.

flowchart LR

Internet

--> SecurityGroup

--> EC2

19. Encryption

Two types:

  • Encryption At Rest
  • Encryption In Transit
flowchart TB

Data

--> Rest

--> Transit

Examples:

  • S3 Encryption
  • RDS Encryption
  • HTTPS

20. Spring Boot Example

Bad:

aws:
  access-key: AKIA...
  secret-key: secret...

Good:

flowchart LR

SpringBoot

--> IAMRole

--> S3

Use IAM Roles.

21. Security Checklist

  • MFA Enabled
  • Root User Protected
  • IAM Groups Used
  • Least Privilege
  • Budgets Configured
  • Billing Alerts Enabled
  • CloudTrail Enabled
  • No Hardcoded Secrets

22. Interview Questions

What is IAM?

Identity and Access Management.

Difference between User and Role?

User is long-term. Role is temporary.

What is CloudTrail?

AWS auditing service.

Why MFA?

Additional security layer.

Key Takeaways

  • IAM controls access.
  • MFA is mandatory.
  • Root user should not be used daily.
  • IAM Roles are preferred over access keys.
  • Budgets prevent surprise bills.
  • CloudTrail provides auditing.
  • Security Groups protect resources.
  • Encryption protects data.