This content originally appeared on DEV Community and was authored by Suvrajeet Banerjee
Ever wondered how tech companies ensure their interns can’t accidentally shut down production servers? The answer lies in AWS IAMβand today, you’ll master it.
The Problem Every Developer Faces
Picture this: You’re scaling your application for the holiday season rush. Traffic is about to spike 10x, and you need additional EC2 instances running. But here’s the catchβyou’re also onboarding a new team member who needs access to test environments without touching production.
One wrong click, and your live application could go dark.
Sound familiar? Welcome to the world of cloud security, where AWS Identity and Access Management (IAM) becomes your best friend.
What You’ll Build Today
By the end of this tutorial, you’ll have:
Two EC2 instances – one for production, one for development
A bulletproof IAM policy that restricts access based on environment tags
A dedicated IAM user with limited permissions
Hands-on testing to verify everything works as expected
Step 1: Launch Your EC2 Instances
First, let’s create the infrastructure we’ll be securing. We’ll launch two instances with different environment tags.
Creating the Production Instance
-
Navigate to EC2 Console
- Open your AWS Management Console
- Search for “EC2” in the services search bar
- Switch to your preferred region
-
Launch Your First Instance
- Click “Launch instance”
- Configure the following:
Name: web-server-prod
-
Add Environment Tags
- Click “Add additional tags”
- Create a new tag:
-
Key:
Env -
Value:
production
-
Key:
-
Configure Basic Settings
- Choose a Free tier eligible AMI (Amazon Machine Image)
- Select a Free tier eligible instance type
- For Key pair: Select “Proceed without a key pair”
Launch the Instance
Creating the Development Instance
Repeat the same process with these modifications:
Name: web-server-dev
Tag Key: Env
Tag Value: development
Checkpoint: You now have two instances with different environment tags!
Step 2: Create a Bulletproof IAM Policy
Now comes the magicβcreating a policy that allows access to development resources while blocking production access.
Understanding the Policy Structure
Navigate to IAM β Policies β Create policy, then switch to JSON editor and paste this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Env": "development"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Resource": "*"
}
]
}
Policy Breakdown
Statement 1: Allows all EC2 actions, but only on resources tagged with Env: development
Statement 2: Allows describing all EC2 resources (needed for console navigation)
Statement 3: Denies tag modification to prevent privilege escalation
Policy Details:
-
Name:
DevEnvironmentPolicy -
Description:
IAM Policy for development environment access
Step 3: Set Up User Groups and Users
Create the User Group
- Navigate to IAM β User groups β Create group
-
Configure Group:
-
Name:
dev-team-group -
Attach policies: Select
DevEnvironmentPolicy
-
Name:
Create the IAM User
- Navigate to IAM β Users β Create user
- User Configuration:
Username: dev-team-member
☑ Provide user access to AWS Management Console
β Users must create new password at next sign-in
-
Add to Group: Select
dev-team-group
Pro Tip: In production, always require password changes on first login!
Step 4: Create an Account Alias
Make login easier for your team by creating a friendly account alias.
- Navigate to IAM β Dashboard
- Create Account Alias:
Alias: your-company-aws-dev
This changes your sign-in URL from:
https://123456789.signin.aws.amazon.com/console/
To:
https://your-company-aws-dev.signin.aws.amazon.com/console/
Step 5: Test Your Security Configuration
Time to verify everything works as expected!
Testing as the IAM User
- Open an incognito window
- Navigate to your custom sign-in URL
- Log in with your IAM user credentials
Security Test 1: Try to Stop Production Instance
- Navigate to EC2 β Instances
- Select your production instance
- Actions β Instance state β Stop
Expected Result: 
Access denied error
Security Test 2: Try to Stop Development Instance
- Select your development instance
- Actions β Instance state β Stop
Expected Result: Instance stops successfully
Advanced: Using IAM Policy Simulator
For faster permission testing, use the IAM Policy Simulator:
- Navigate to IAM β Policy Simulator
-
Select your user:
dev-team-member -
Test actions: Try
ec2:StopInstanceson both instances - View results: See permissions without actually performing actions
Step 6: Clean Up Resources
Always clean up to avoid charges:
Delete EC2 Instances
- Terminate both production and development instances
Delete IAM Resources
- Remove user from group
- Delete the IAM user
- Delete the user group
- Delete the custom policy
- Remove account alias
What You’ve Accomplished
You’ve just built a production-ready security system that:
Restricts access based on environment tags
Uses resource tagging for granular control
Implements group-based permissions for scalability
Includes testing strategies for verification
Next Steps
Ready to level up your AWS security game?
Explore cross-account access with IAM roles
Implement CloudTrail for audit logging
Set up MFA for additional security layers
Learn about service-linked roles for AWS services
Key Takeaways
AWS IAM isn’t just about restricting accessβit’s about enabling teams to work efficiently while maintaining security. The combination of resource tags, conditional policies, and user groups creates a powerful, scalable security model.
Remember: Security is not a feature you add laterβit’s a foundation you build upon.
Found this tutorial helpful? Drop a comment below and share your IAM security wins!
This content originally appeared on DEV Community and was authored by Suvrajeet Banerjee