The latest articles on DEV Community by Himanshu Maheshwari (@im_himanshu_maheshwari). https://dev.to/im_himanshu_maheshwari https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3706675%2F8c3787d5-dd96-4041-b873-39c28e8ea4e2.png https://dev.to/im_himanshu_maheshwari en Himanshu Maheshwari Wed, 14 Jan 2026 13:50:39 +0000 https://dev.to/im_himanshu_maheshwari/aws-iam-policies-simple-easy-1g7n https://dev.to/im_himanshu_maheshwari/aws-iam-policies-simple-easy-1g7n <p>Imagine you're running a company building, and you need to control who can access different rooms. Some employees can only view the conference room schedule, while others can book rooms, and managers can access the server room. AWS IAM Policies work exactly like this - they're the security system that controls who can do what in your AWS environment.</p> <p>In this guide, I'll break down IAM policies in simple terms, so even if you're new to AWS, you'll understand how to control access to your cloud resources.</p> <h2> What are IAM Policies? </h2> <p>Think of IAM policies as <strong>permission slips</strong> in AWS. Just like a parent gives permission to a teacher to take their child on a field trip, IAM policies give permission to users or applications to access AWS resources.</p> <h3> The Structure of an IAM Policy </h3> <p>An IAM policy is like a recipe card with specific ingredients:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3-account-permissions"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:root"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::mybucket/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Breaking It Down (in Simple Terms) </h2> <h3> 1. Version - Like a Date Stamp on a Document </h3> <ul> <li>Always use <code>"2012-10-17"</code> (the latest version)</li> <li>Think of it as the "policy format version"</li> <li>This tells AWS which rules to follow when reading your policy</li> </ul> <h3> 2. Id (Optional) - A Nickname for Your Policy </h3> <ul> <li>Example: <code>"s3-account-permissions"</code> </li> <li>Helps you identify what this policy does</li> <li>Like naming a document "Sales_Team_Permissions" instead of "Document1"</li> </ul> <h3> 3. Statement - The Actual Rules (The Important Part!) </h3> <ul> <li>This is where you define WHO can do WHAT</li> <li>You can have multiple statements in one policy</li> <li>Each statement is like a separate rule</li> </ul> <h3> 4. Sid (Optional) - Statement ID </h3> <ul> <li>A label for each individual permission rule</li> <li>Example: <code>"AllowReadAccess"</code> or <code>"DenyDeleteOperations"</code> </li> <li>Useful when you have multiple rules and need to identify them</li> </ul> <h3> 5. Effect - The Decision: Allow or Deny </h3> <ul> <li> <code>"Allow"</code> = Yes, you can do this ✅</li> <li> <code>"Deny"</code> = No, you cannot do this ❌</li> <li>Deny always wins if there's a conflict</li> </ul> <h3> 6. Principal - WHO Gets the Permission </h3> <ul> <li>The person, role, or service getting access</li> <li>Example: <code>"arn:aws:iam::123456789012:root"</code> (an AWS account)</li> <li>Think of it as the "name on the permission slip"</li> </ul> <h3> 7. Action - WHAT They Can Do </h3> <ul> <li>Specific tasks allowed/denied</li> <li>Example: <code>"s3:GetObject"</code> (download files), <code>"s3:PutObject"</code> (upload files)</li> <li>You can use wildcards: <code>"s3:*"</code> means all S3 actions</li> </ul> <h3> 8. Resource - WHERE They Can Do It </h3> <ul> <li>Which AWS resources this applies to</li> <li>Example: <code>"arn:aws:s3:::mybucket/*"</code> (all files in "mybucket")</li> <li>Like saying "only in this specific room"</li> </ul> <h3> 9. Condition (Optional) - WHEN This Applies </h3> <ul> <li>Extra rules like time of day, IP address, etc.</li> <li>Example: Only allow access from the office IP</li> <li>Adds an extra layer of security</li> </ul> <h2> Real-World Example: Photo Storage App </h2> <p>Let's say you're managing a photo storage app. You want photographers to upload and download photos, but only from your office network:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowUserToUploadPhotos"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::987654321098:user/photographer"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:PutObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::customer-photos/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"IpAddress"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:SourceIp"</span><span class="p">:</span><span class="w"> </span><span class="s2">"203.0.113.0/24"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Translation in Plain English</strong>: </p> <ul> <li> <strong>Who</strong>: The photographer user</li> <li> <strong>Can do what</strong>: Upload (PutObject) and download (GetObject) photos</li> <li> <strong>Where</strong>: In the customer-photos bucket</li> <li> <strong>When</strong>: Only when connected from the office IP address (203.0.113.0/24)</li> </ul> <h2> More Policy Examples </h2> <h3> Example 1: Read-Only Access to EC2 Instances </h3> <p><strong>Scenario</strong>: You want your intern to view all EC2 instances but not make any changes.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"EC2ReadOnly"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:Describe*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:Get*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What it means</strong>: </p> <ul> <li>The intern can see (Describe and Get) all EC2 information</li> <li>They cannot create, modify, or delete instances</li> <li>The <code>*</code> wildcard means all EC2 resources</li> </ul> <p><strong>Use case</strong>: Perfect for team members who need to monitor servers but shouldn't change anything.</p> <h3> Example 2: Developer Access with Restrictions </h3> <p><strong>Scenario</strong>: You want developers to work freely in the development environment but stay away from production.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowDevelopmentEnvironment"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"lambda:*"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"StringEquals"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:RequestedRegion"</span><span class="p">:</span><span class="w"> </span><span class="s2">"us-west-2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DenyProductionAccess"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::production-*"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:ec2:*:*:instance/i-prod*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What it means</strong>: </p> <ul> <li> <strong>First statement</strong>: Developers can do anything with EC2, S3, and Lambda in the us-west-2 region</li> <li> <strong>Second statement</strong>: But they are explicitly blocked from any production resources (buckets starting with "production-" and instances starting with "i-prod")</li> <li>Deny wins, so even if allowed elsewhere, production is off-limits</li> </ul> <p><strong>Use case</strong>: Gives developers freedom to experiment while protecting critical production systems.</p> <h3> Example 3: Time-Based Access </h3> <p><strong>Scenario</strong>: Contractors should only access resources during business hours.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"BusinessHoursOnly"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::project-files/*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"DateGreaterThan"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:CurrentTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2024-01-01T09:00:00Z"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"DateLessThan"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:CurrentTime"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2024-12-31T17:00:00Z"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What it means</strong>: </p> <ul> <li>Contractors can access project files</li> <li>Only between 9 AM and 5 PM</li> <li>Automatically enforced by AWS</li> </ul> <h3> Example 4: Multi-Factor Authentication (MFA) Required </h3> <p><strong>Scenario</strong>: For sensitive operations, require MFA.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowWithMFA"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"ec2:StopInstances"</span><span class="p">,</span><span class="w"> </span><span class="s2">"ec2:TerminateInstances"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"BoolIfExists"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"aws:MultiFactorAuthPresent"</span><span class="p">:</span><span class="w"> </span><span class="s2">"true"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What it means</strong>: </p> <ul> <li>Users can stop or terminate EC2 instances</li> <li>Only if they've authenticated with MFA</li> <li>Prevents accidental or unauthorized shutdowns</li> </ul> <h2> Common IAM Policy Patterns </h2> <h3> Pattern 1: Least Privilege Principle </h3> <p><strong>Concept</strong>: Give users the minimum permissions they need to do their job.</p> <p><strong>Bad Example</strong> ❌:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This gives full access to everything - dangerous!</p> <p><strong>Good Example</strong> ✅:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:ListBucket"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket"</span><span class="p">,</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>This gives only read access to a specific bucket.</p> <h3> Pattern 2: Using Deny for Extra Security </h3> <p><strong>Concept</strong>: Explicitly deny critical actions to prevent accidents.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowMostS3Actions"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"NeverAllowDelete"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="s2">"s3:DeleteBucket"</span><span class="p">,</span><span class="w"> </span><span class="s2">"s3:DeleteObject"</span><span class="w"> </span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::my-bucket/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What it means</strong>: Users can do most S3 operations, but deletion is always blocked.</p> <h2> Understanding Policy Evaluation </h2> <p>When you make a request to AWS, here's how it decides if you're allowed:</p> <ol> <li> <strong>By default, everything is denied</strong> 🚫</li> <li> <strong>Check for explicit Allow</strong> ✅</li> <li> <strong>Check for explicit Deny</strong> ❌</li> <li> <strong>Deny always wins</strong> 🏆</li> </ol> <h3> Example Decision Flow: </h3> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Request: Delete S3 object ↓ Is there an Allow? → Yes (s3:* is allowed) ↓ Is there a Deny? → Yes (s3:DeleteObject is denied) ↓ Result: DENIED ❌ (Deny wins) </code></pre> </div> <h2> Policy Variables for Dynamic Permissions </h2> <p>You can use variables to create flexible policies:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AllowUserToAccessTheirOwnFolder"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:s3:::shared-bucket/${aws:username}/*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>What it means</strong>: </p> <ul> <li>Each user can only access their own folder</li> <li> <code>${aws:username}</code> automatically inserts the user's name</li> <li>John can access <code>/shared-bucket/john/*</code> </li> <li>Sarah can access <code>/shared-bucket/sarah/*</code> </li> </ul> <h2> Testing Your Policies </h2> <h3> Use the IAM Policy Simulator </h3> <p>AWS provides a tool to test policies before applying them:</p> <ol> <li>Go to <a href="https://policysim.aws.amazon.com/" rel="noopener noreferrer">IAM Policy Simulator</a> </li> <li>Select a user or role</li> <li>Choose a service (like S3)</li> <li>Select an action (like GetObject)</li> <li>Click "Run Simulation"</li> </ol> <p>This shows you if the action would be allowed or denied.</p> <h2> Common Mistakes to Avoid </h2> <h3> Mistake 1: Using <code>*</code> Too Broadly </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"*"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Problem</strong>: Gives full access to everything in AWS<br> <strong>Solution</strong>: Be specific about actions and resources</p> <h3> Mistake 2: Forgetting Resource ARNs </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"s3:GetObject"</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Missing</span><span class="w"> </span><span class="s2">"Resource"</span><span class="w"> </span><span class="err">field!</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Problem</strong>: Policy won't work without specifying resources<br> <strong>Solution</strong>: Always include the Resource field</p> <h3> Mistake 3: Not Testing Policies </h3> <p><strong>Problem</strong>: Policies might not work as expected<br> <strong>Solution</strong>: Always test with IAM Policy Simulator before applying</p> <h2> Best Practices </h2> <h3> 1. Start Small, Then Expand </h3> <ul> <li>Begin with minimal permissions</li> <li>Add more as needed</li> <li>Don't start with full access</li> </ul> <h3> 2. Use Groups for Common Permissions </h3> <ul> <li>Create groups like "Developers", "Admins", "Readers"</li> <li>Assign policies to groups</li> <li>Add users to groups</li> </ul> <h3> 3. Regular Audits </h3> <ul> <li>Review policies quarterly</li> <li>Remove unused permissions</li> <li>Update for new requirements</li> </ul> <h3> 4. Document Your Policies </h3> <ul> <li>Add comments explaining why policies exist</li> <li>Use descriptive Sid values</li> <li>Keep a change log</li> </ul> <h3> 5. Use Managed Policies When Possible </h3> <ul> <li>AWS provides pre-built policies</li> <li>Examples: <code>ReadOnlyAccess</code>, <code>PowerUserAccess</code> </li> <li>Easier to maintain</li> </ul> <h2> Quick Reference </h2> <h3> Policy Template </h3> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"Version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2012-10-17"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Statement"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"Sid"</span><span class="p">:</span><span class="w"> </span><span class="s2">"DescriptiveName"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Effect"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Allow|Deny"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Principal"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"AWS"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:..."</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"Action"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"service:Action"</span><span class="p">],</span><span class="w"> </span><span class="nl">"Resource"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"Condition"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="err">...</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h3> Common Actions </h3> <ul> <li> <strong>S3</strong>: <code>s3:GetObject</code>, <code>s3:PutObject</code>, <code>s3:DeleteObject</code>, <code>s3:ListBucket</code> </li> <li> <strong>EC2</strong>: <code>ec2:RunInstances</code>, <code>ec2:StopInstances</code>, <code>ec2:DescribeInstances</code> </li> <li> <strong>Lambda</strong>: <code>lambda:InvokeFunction</code>, <code>lambda:CreateFunction</code>, <code>lambda:UpdateFunctionCode</code> </li> <li> <strong>IAM</strong>: <code>iam:CreateUser</code>, <code>iam:AttachUserPolicy</code>, <code>iam:GetUser</code> </li> </ul> <h2> Conclusion </h2> <p>IAM policies are the foundation of AWS security. By understanding how to structure and apply them, you can:</p> <p>✅ Control who accesses your resources<br><br> ✅ Specify exactly what actions are allowed<br><br> ✅ Add conditions for extra security<br><br> ✅ Follow the principle of least privilege<br><br> ✅ Keep your AWS environment secure </p> <h3> Key Takeaways: </h3> <ol> <li> <strong>Version</strong>: Always use "2012-10-17"</li> <li> <strong>Effect</strong>: Allow or Deny</li> <li> <strong>Principal</strong>: Who gets access</li> <li> <strong>Action</strong>: What they can do</li> <li> <strong>Resource</strong>: Where they can do it</li> <li> <strong>Condition</strong>: When it applies</li> <li> <strong>Deny always wins</strong> in conflicts</li> </ol> <p>Remember: Good IAM policies are specific, tested, and regularly reviewed. Start with minimal permissions and add more only when needed.</p> <h2> Additional Resources </h2> <ul> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html" rel="noopener noreferrer">AWS IAM Policy Documentation</a></li> <li><a href="https://policysim.aws.amazon.com/" rel="noopener noreferrer">IAM Policy Simulator</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html" rel="noopener noreferrer">IAM Best Practices</a></li> <li><a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html" rel="noopener noreferrer">Policy Examples Library</a></li> </ul> <p><strong>Pro Tip</strong>: Always test your policies in a non-production environment first. Use the IAM Policy Simulator to verify they work as expected before applying them to real users!</p> <p>Stay secure! 🔒</p> aws developers webdev iam Himanshu Maheshwari Tue, 13 Jan 2026 14:44:35 +0000 https://dev.to/im_himanshu_maheshwari/managing-multiple-aws-accounts-like-a-pro-a-complete-guide-255h https://dev.to/im_himanshu_maheshwari/managing-multiple-aws-accounts-like-a-pro-a-complete-guide-255h <p>Imagine you have multiple email accounts - one for work, one personal, and maybe one for side projects. You switch between them throughout the day without any hassle. AWS accounts work the same way!</p> <p>As developers, we often juggle multiple AWS accounts:</p> <ul> <li>🏢 Company account for work projects</li> <li>👤 Personal account for side projects</li> <li>💼 Client accounts for freelance work</li> <li>🧪 Separate accounts for development and production</li> </ul> <p>Switching between these accounts shouldn't be complicated. In this guide, I'll show you exactly how to manage multiple AWS accounts on a single machine, making it as easy as switching browser tabs.</p> <h2> Why Multiple AWS Accounts? </h2> <p>Before we dive in, let's understand why you might need multiple accounts:</p> <h3> Separation of Concerns </h3> <ul> <li>Keep work and personal projects separate</li> <li>Avoid accidental changes to the wrong environment</li> <li>Separate billing for different projects</li> </ul> <h3> Security &amp; Isolation </h3> <ul> <li>Limit the blast radius if credentials are compromised</li> <li>Different security requirements for different projects</li> <li>Client data stays in client accounts</li> </ul> <h3> Cost Management </h3> <ul> <li>Track costs per project or client</li> <li>Separate billing for better accounting</li> <li>Avoid surprise bills mixing personal and work usage</li> </ul> <h2> The AWS Credentials Setup </h2> <h3> Understanding the File Structure </h3> <p>AWS stores your credentials in two files on your computer:</p> <ol> <li> <strong>~/.aws/credentials</strong> - Contains your access keys (the passwords)</li> <li> <strong>~/.aws/config</strong> - Contains configuration settings (regions, output formats)</li> </ol> <p>Think of it like this:</p> <ul> <li> <code>credentials</code> = Your passport (proves who you are)</li> <li> <code>config</code> = Your travel preferences (where you want to go, how you want to travel)</li> </ul> <h3> The Credentials File </h3> <p>Here's what a typical <code>~/.aws/credentials</code> file looks like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[default]</span> <span class="py">aws_access_key_id</span> <span class="p">=</span> <span class="s">AKIAIOSFODNN7EXAMPLE</span> <span class="py">aws_secret_access_key</span> <span class="p">=</span> <span class="s">wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</span> <span class="nn">[work-project]</span> <span class="py">aws_access_key_id</span> <span class="p">=</span> <span class="s">AKIAI44QH8DHBEXAMPLE</span> <span class="py">aws_secret_access_key</span> <span class="p">=</span> <span class="s">je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY</span> <span class="nn">[personal]</span> <span class="py">aws_access_key_id</span> <span class="p">=</span> <span class="s">AKIAIOSFODNN7EXAMPLE</span> <span class="py">aws_secret_access_key</span> <span class="p">=</span> <span class="s">wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</span> <span class="nn">[client-xyz]</span> <span class="py">aws_access_key_id</span> <span class="p">=</span> <span class="s">AKIAI44QH8DHBEXAMPLE</span> <span class="py">aws_secret_access_key</span> <span class="p">=</span> <span class="s">je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY</span> </code></pre> </div> <p><strong>Important Security Notes</strong>: </p> <ul> <li>⚠️ Never share these credentials with anyone</li> <li>⚠️ Never commit them to Git or GitHub</li> <li>⚠️ Rotate them regularly (every 90 days recommended)</li> <li>⚠️ The keys shown above are fake examples only</li> </ul> <h3> The Config File </h3> <p>Create or edit <code>~/.aws/config</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight ini"><code><span class="nn">[default]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-east-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile work-project]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">us-west-2</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile personal]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">eu-west-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">json</span> <span class="nn">[profile client-xyz]</span> <span class="py">region</span> <span class="p">=</span> <span class="s">ap-southeast-1</span> <span class="py">output</span> <span class="p">=</span> <span class="s">table</span> </code></pre> </div> <p><strong>Important</strong>: In the config file, profile names need the <code>profile</code> prefix (except for <code>default</code>).</p> <h2> Step-by-Step: Setting Up Multiple Profiles </h2> <h3> Step 1: Check Your Current AWS Account </h3> <p>Before making changes, let's see which account you're currently using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity </code></pre> </div> <p>This command shows you:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"UserId"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AIDAI23HXD2WQ4EXAMPLE"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Account"</span><span class="p">:</span><span class="w"> </span><span class="s2">"123456789012"</span><span class="p">,</span><span class="w"> </span><span class="nl">"Arn"</span><span class="p">:</span><span class="w"> </span><span class="s2">"arn:aws:iam::123456789012:user/johndoe"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p><strong>Translation</strong>: </p> <ul> <li> <strong>UserId</strong>: Your unique user ID in AWS</li> <li> <strong>Account</strong>: The AWS account number you're connected to</li> <li> <strong>Arn</strong>: Your full AWS identity path</li> </ul> <h3> Step 2: Create a New Profile </h3> <p>Let's add a new AWS account profile:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure <span class="nt">--profile</span> my-new-project </code></pre> </div> <p>You'll be prompted for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>AWS Access Key ID [None]: AKIAI44QH8DHBEXAMPLE AWS Secret Access Key [None]: je7MtGbClwBF/2Zp9Utk/h3yCo8nvbEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: json </code></pre> </div> <p><strong>Where to get these values</strong>:</p> <ol> <li>Log into AWS Console</li> <li>Go to IAM → Users → Your User</li> <li>Click "Security credentials" tab</li> <li>Click "Create access key"</li> <li>Save the Access Key ID and Secret Access Key</li> </ol> <h3> Step 3: Verify the New Profile </h3> <p>Test that your new profile works:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws sts get-caller-identity <span class="nt">--profile</span> my-new-project </code></pre> </div> <p>If you see account information, you're all set! 🎉</p> <h2> Switching Between AWS Accounts </h2> <p>Now that you have multiple profiles, here are three ways to switch between them:</p> <h3> Method 1: Set Profile for Your Entire Terminal Session </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Switch to work-project account</span> <span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>work-project <span class="c"># Verify the switch</span> aws sts get-caller-identity <span class="c"># All subsequent commands use work-project</span> aws s3 <span class="nb">ls </span>aws ec2 describe-instances aws lambda list-functions </code></pre> </div> <p><strong>Use case</strong>: You're working on one project for several hours.</p> <p><strong>Tip</strong>: To see which profile you're using:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">echo</span> <span class="nv">$AWS_PROFILE</span> </code></pre> </div> <p><strong>To switch back to default</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">unset </span>AWS_PROFILE </code></pre> </div> <h3> Method 2: One-Time Use for a Single Command </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Use work-project for this command only</span> aws s3 <span class="nb">ls</span> <span class="nt">--profile</span> work-project <span class="c"># Use personal for this command only</span> aws s3 <span class="nb">ls</span> <span class="nt">--profile</span> personal <span class="c"># Use client-xyz for this command only</span> aws ec2 describe-instances <span class="nt">--profile</span> client-xyz </code></pre> </div> <p><strong>Use case</strong>: You need to quickly check something in another account without switching your entire session.</p> <h3> Method 3: Automatic Switching Based on Folder (The Smart Way!) </h3> <p>This is the most convenient method for developers working on multiple projects.</p> <p><strong>Install direnv</strong> (auto-loads environment variables per folder):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Install on macOS</span> brew <span class="nb">install </span>direnv <span class="c"># Install on Linux</span> <span class="nb">sudo </span>apt-get <span class="nb">install </span>direnv <span class="c"># Add to your shell configuration</span> <span class="c"># For zsh (~/.zshrc):</span> <span class="nb">echo</span> <span class="s1">'eval "$(direnv hook zsh)"'</span> <span class="o">&gt;&gt;</span> ~/.zshrc <span class="c"># For bash (~/.bashrc):</span> <span class="nb">echo</span> <span class="s1">'eval "$(direnv hook bash)"'</span> <span class="o">&gt;&gt;</span> ~/.bashrc <span class="c"># Reload your shell</span> <span class="nb">source</span> ~/.zshrc <span class="c"># or source ~/.bashrc</span> </code></pre> </div> <p><strong>Set up automatic profile switching</strong>:</p> <p>Create a <code>.envrc</code> file in your project folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Navigate to your work project</span> <span class="nb">cd</span> ~/projects/work-app <span class="c"># Create .envrc file</span> <span class="nb">cat</span> <span class="o">&gt;</span> .envrc <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' export AWS_PROFILE=work-project export AWS_REGION=us-west-2 </span><span class="no">EOF </span><span class="c"># Allow direnv to load this file</span> direnv allow </code></pre> </div> <p>Now, every time you <code>cd</code> into this folder, it automatically uses the <code>work-project</code> profile!</p> <p><strong>Set it up for all your projects</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Work project</span> <span class="nb">cd</span> ~/projects/work-app <span class="nb">echo</span> <span class="s2">"export AWS_PROFILE=work-project"</span> <span class="o">&gt;</span> .envrc direnv allow <span class="c"># Personal project</span> <span class="nb">cd</span> ~/projects/my-blog <span class="nb">echo</span> <span class="s2">"export AWS_PROFILE=personal"</span> <span class="o">&gt;</span> .envrc direnv allow <span class="c"># Client project</span> <span class="nb">cd</span> ~/freelance/client-xyz <span class="nb">echo</span> <span class="s2">"export AWS_PROFILE=client-xyz"</span> <span class="o">&gt;</span> .envrc direnv allow </code></pre> </div> <p><strong>How it works</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># You're using default profile</span> aws sts get-caller-identity <span class="c"># Shows default account</span> <span class="nb">cd</span> ~/projects/work-app <span class="c"># direnv automatically sets AWS_PROFILE=work-project</span> aws sts get-caller-identity <span class="c"># Shows work account!</span> <span class="nb">cd</span> ~/projects/my-blog <span class="c"># direnv automatically sets AWS_PROFILE=personal</span> aws sts get-caller-identity <span class="c"># Shows personal account!</span> </code></pre> </div> <h2> Visual Indicator in Your Terminal </h2> <p>Want to always see which AWS profile you're using? Add this to your terminal prompt!</p> <h3> For Zsh (~/.zshrc) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Function to show current AWS profile</span> aws_profile<span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$AWS_PROFILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"☁️ [</span><span class="nv">$AWS_PROFILE</span><span class="s2">]"</span> <span class="k">fi</span> <span class="o">}</span> <span class="c"># Add to your prompt</span> setopt PROMPT_SUBST <span class="nv">PS1</span><span class="o">=</span><span class="s1">'$(aws_profile) '</span><span class="nv">$PS1</span> </code></pre> </div> <h3> For Bash (~/.bashrc) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Function to show current AWS profile</span> aws_profile<span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$AWS_PROFILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"☁️ [</span><span class="nv">$AWS_PROFILE</span><span class="s2">]"</span> <span class="k">fi</span> <span class="o">}</span> <span class="c"># Add to your prompt</span> <span class="nv">PS1</span><span class="o">=</span><span class="s1">'$(aws_profile) '</span><span class="nv">$PS1</span> </code></pre> </div> <p>Reload your shell:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">source</span> ~/.zshrc <span class="c"># or source ~/.bashrc</span> </code></pre> </div> <p><strong>Your terminal will now show</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>☁️ [work-project] mahesh@macbook ~/projects/work-app % </code></pre> </div> <p>When you're not using a specific profile, the cloud icon disappears.</p> <h2> Managing Your Profiles </h2> <h3> List All Configured Profiles </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure list-profiles </code></pre> </div> <p>Output:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>default work-project personal client-xyz </code></pre> </div> <h3> View Configuration for a Specific Profile </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># See all settings</span> aws configure list <span class="nt">--profile</span> work-project <span class="c"># Get specific setting</span> aws configure get region <span class="nt">--profile</span> work-project aws configure get output <span class="nt">--profile</span> work-project </code></pre> </div> <h3> Update a Profile Setting </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Change region</span> aws configure <span class="nb">set </span>region us-east-1 <span class="nt">--profile</span> work-project <span class="c"># Change output format</span> aws configure <span class="nb">set </span>output table <span class="nt">--profile</span> personal </code></pre> </div> <h3> Test Profile Credentials </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Test if credentials work</span> aws sts get-caller-identity <span class="nt">--profile</span> work-project <span class="c"># List S3 buckets to verify access</span> aws s3 <span class="nb">ls</span> <span class="nt">--profile</span> work-project <span class="c"># Check which region is configured</span> aws configure get region <span class="nt">--profile</span> work-project </code></pre> </div> <h2> Real-World Workflow Example </h2> <p>Let's say you're working on three different projects in a day:</p> <h3> Morning: Work Project (Company Account) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/projects/company-app <span class="c"># direnv automatically sets AWS_PROFILE=work-project</span> <span class="c"># Deploy to work infrastructure</span> aws s3 <span class="nb">sync</span> ./build s3://company-website-bucket aws cloudfront create-invalidation <span class="nt">--distribution-id</span> E123456 <span class="nt">--paths</span> <span class="s2">"/*"</span> <span class="c"># Check logs</span> aws logs <span class="nb">tail</span> /aws/lambda/company-function <span class="nt">--follow</span> </code></pre> </div> <h3> Afternoon: Personal Blog (Personal Account) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/projects/my-blog <span class="c"># direnv automatically sets AWS_PROFILE=personal</span> <span class="c"># Deploy your blog</span> aws s3 <span class="nb">sync</span> ./public s3://my-personal-blog aws cloudfront create-invalidation <span class="nt">--distribution-id</span> E789012 <span class="nt">--paths</span> <span class="s2">"/*"</span> <span class="c"># Check visitor stats</span> aws cloudwatch get-metric-statistics <span class="nt">--namespace</span> AWS/S3 <span class="se">\</span> <span class="nt">--metric-name</span> NumberOfObjects <span class="nt">--dimensions</span> <span class="nv">Name</span><span class="o">=</span>BucketName,Value<span class="o">=</span>my-personal-blog <span class="se">\</span> <span class="nt">--statistics</span> Average <span class="nt">--start-time</span> 2024-01-01T00:00:00Z <span class="nt">--end-time</span> 2024-01-31T23:59:59Z <span class="se">\</span> <span class="nt">--period</span> 86400 </code></pre> </div> <h3> Evening: Client Work (Client Account) </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/freelance/client-xyz <span class="c"># direnv automatically sets AWS_PROFILE=client-xyz</span> <span class="c"># Deploy client application</span> aws ecs update-service <span class="nt">--cluster</span> client-cluster <span class="nt">--service</span> client-app <span class="se">\</span> <span class="nt">--force-new-deployment</span> <span class="c"># Check deployment status</span> aws ecs describe-services <span class="nt">--cluster</span> client-cluster <span class="nt">--services</span> client-app </code></pre> </div> <p><strong>Notice</strong>: You never had to manually switch profiles! Each folder automatically uses the correct account.</p> <h2> Best Practices </h2> <h3> 1. Never Commit Credentials to Git </h3> <p>Always add these to your <code>.gitignore</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># AWS Credentials .env .envrc .aws/credentials .aws/config *.pem *.key # Environment files .env.local .env.production </code></pre> </div> <h3> 2. Use Meaningful Profile Names </h3> <p><strong>Bad</strong> ❌:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>profile1 profile2 test prod </code></pre> </div> <p><strong>Good</strong> ✅:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>company-production company-development personal-projects client-acme-prod client-acme-dev startup-staging </code></pre> </div> <h3> 3. Document Profile Usage </h3> <p>Add to your project's <code>README.md</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight markdown"><code><span class="gu">## AWS Configuration</span> This project uses the <span class="sb">`work-project`</span> AWS profile. <span class="gu">### Setup</span> <span class="p"> 1.</span> Configure the AWS profile: </code></pre> </div> <p><br> bash<br> aws configure --profile work-project<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 2. Set environment variables: </code></pre> </div> <p><br> bash<br> export AWS_PROFILE=work-project<br> export AWS_REGION=us-west-2<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> 3. Verify setup: </code></pre> </div> <p><br> bash<br> aws sts get-caller-identity<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> ### Required Permissions This project requires access to: - S3 bucket: `company-assets` - Lambda functions: `company-api-*` - CloudFront distribution: `E123456` </code></pre> </div> <h3> 4. Create Helper Scripts </h3> <p>Create <code>~/bin/aws-switch.sh</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/bin/bash</span> <span class="nb">echo</span> <span class="s2">"🌥️ AWS Profile Switcher"</span> <span class="nb">echo</span> <span class="s2">"======================="</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"Available profiles:"</span> aws configure list-profiles | <span class="nb">nl echo</span> <span class="s2">""</span> <span class="nb">read</span> <span class="nt">-p</span> <span class="s2">"Enter profile name: "</span> profile_name <span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span><span class="nv">$profile_name</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"✅ Switched to: </span><span class="nv">$AWS_PROFILE</span><span class="s2">"</span> <span class="nb">echo</span> <span class="s2">""</span> aws sts get-caller-identity </code></pre> </div> <p>Make it executable:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">chmod</span> +x ~/bin/aws-switch.sh </code></pre> </div> <p>Use it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>~/bin/aws-switch.sh </code></pre> </div> <h3> 5. Rotate Access Keys Regularly </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Create new access key (do this in AWS Console)</span> <span class="c"># Then update your credentials file</span> <span class="c"># Test new credentials</span> aws sts get-caller-identity <span class="nt">--profile</span> work-project <span class="c"># If working, delete old access key in AWS Console</span> </code></pre> </div> <p>Set a calendar reminder to rotate keys every 90 days.</p> <h2> Troubleshooting Common Issues </h2> <h3> Issue 1: "Unable to locate credentials" </h3> <p><strong>Symptoms</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Unable to locate credentials. You can configure credentials by running "aws configure". </code></pre> </div> <p><strong>Solutions</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check if credentials file exists</span> <span class="nb">ls</span> <span class="nt">-la</span> ~/.aws/credentials <span class="c"># Check if profile exists</span> aws configure list-profiles <span class="c"># Verify profile name matches</span> <span class="nb">echo</span> <span class="nv">$AWS_PROFILE</span> <span class="c"># Re-configure if needed</span> aws configure <span class="nt">--profile</span> work-project </code></pre> </div> <h3> Issue 2: "Access Denied" Errors </h3> <p><strong>Symptoms</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied </code></pre> </div> <p><strong>Solutions</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify you're using the correct profile</span> aws sts get-caller-identity <span class="c"># Check if credentials are valid</span> aws sts get-caller-identity <span class="nt">--profile</span> work-project <span class="c"># If invalid, create new access keys and update credentials file</span> </code></pre> </div> <h3> Issue 3: Wrong Region Being Used </h3> <p><strong>Symptoms</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Could not connect to the endpoint URL: "https://s3.us-west-2.amazonaws.com/my-bucket" </code></pre> </div> <p><strong>Solutions</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check current region</span> aws configure get region <span class="nt">--profile</span> work-project <span class="c"># Set correct region</span> aws configure <span class="nb">set </span>region us-east-1 <span class="nt">--profile</span> work-project <span class="c"># Or set via environment variable</span> <span class="nb">export </span><span class="nv">AWS_REGION</span><span class="o">=</span>us-east-1 </code></pre> </div> <h3> Issue 4: direnv Not Working </h3> <p><strong>Symptoms</strong>:<br> <code>.envrc</code> file exists but profile not switching automatically</p> <p><strong>Solutions</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check if direnv is installed</span> which direnv <span class="c"># Check if direnv hook is in your shell config</span> <span class="nb">cat</span> ~/.zshrc | <span class="nb">grep </span>direnv <span class="c"># If missing, add it</span> <span class="nb">echo</span> <span class="s1">'eval "$(direnv hook zsh)"'</span> <span class="o">&gt;&gt;</span> ~/.zshrc <span class="nb">source</span> ~/.zshrc <span class="c"># Allow direnv in your project</span> <span class="nb">cd</span> /path/to/project direnv allow </code></pre> </div> <h2> Advanced: Using AWS SSO (Single Sign-On) </h2> <p>If your company uses AWS SSO, here's how to set it up:</p> <h3> Configure SSO Profile </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws configure sso </code></pre> </div> <p>Follow the prompts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>SSO start URL [None]: https://my-company.awsapps.com/start SSO Region [None]: us-east-1 SSO registration scopes [None]: sso:account:access </code></pre> </div> <p>Your browser will open for authentication.</p> <h3> Use SSO Profile </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Login to SSO</span> aws sso login <span class="nt">--profile</span> company-sso <span class="c"># Use the profile</span> <span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>company-sso aws s3 <span class="nb">ls</span> <span class="c"># Session expires after a few hours, re-login with:</span> aws sso login <span class="nt">--profile</span> company-sso </code></pre> </div> <h3> Auto-refresh SSO Sessions </h3> <p>Add to your <code>~/.zshrc</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Auto-refresh AWS SSO session</span> aws_sso_refresh<span class="o">()</span> <span class="o">{</span> <span class="k">if</span> <span class="o">[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$AWS_PROFILE</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span>aws sso login <span class="nt">--profile</span> <span class="nv">$AWS_PROFILE</span> 2&gt;/dev/null <span class="k">fi</span> <span class="o">}</span> <span class="c"># Run before each command (optional)</span> <span class="c"># precmd() { aws_sso_refresh }</span> </code></pre> </div> <h2> Quick Reference Cheat Sheet </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># List all profiles</span> aws configure list-profiles <span class="c"># Check current account</span> aws sts get-caller-identity <span class="c"># Check current profile</span> <span class="nb">echo</span> <span class="nv">$AWS_PROFILE</span> <span class="c"># Set profile for session</span> <span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>work-project <span class="c"># Unset profile (back to default)</span> <span class="nb">unset </span>AWS_PROFILE <span class="c"># Use profile for single command</span> aws s3 <span class="nb">ls</span> <span class="nt">--profile</span> personal <span class="c"># Configure new profile</span> aws configure <span class="nt">--profile</span> new-project <span class="c"># Test profile credentials</span> aws sts get-caller-identity <span class="nt">--profile</span> work-project <span class="c"># Get profile configuration</span> aws configure list <span class="nt">--profile</span> work-project <span class="c"># Set specific configuration</span> aws configure <span class="nb">set </span>region us-east-1 <span class="nt">--profile</span> work-project <span class="c"># Get specific configuration</span> aws configure get region <span class="nt">--profile</span> work-project </code></pre> </div> <h2> Understanding Credential Priority </h2> <p>AWS looks for credentials in this order:</p> <ol> <li> <strong>Command line options</strong> (<code>--profile</code>)</li> <li> <strong>Environment variables</strong> (<code>AWS_PROFILE</code>, <code>AWS_ACCESS_KEY_ID</code>, <code>AWS_SECRET_ACCESS_KEY</code>)</li> <li> <strong>Credentials file</strong> (<code>~/.aws/credentials</code>)</li> <li> <strong>Config file</strong> (<code>~/.aws/config</code>)</li> <li> <strong>IAM role</strong> (when running on EC2, ECS, Lambda)</li> </ol> <p><strong>Example</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Even if AWS_PROFILE=personal is set</span> <span class="nb">export </span><span class="nv">AWS_PROFILE</span><span class="o">=</span>personal <span class="c"># This command uses work-project (command line wins)</span> aws s3 <span class="nb">ls</span> <span class="nt">--profile</span> work-project </code></pre> </div> <h2> Conclusion </h2> <p>Managing multiple AWS accounts doesn't have to be complicated. With proper setup:</p> <p>✅ Switch between accounts seamlessly<br><br> ✅ Automate profile selection per project<br><br> ✅ See which account you're using at a glance<br><br> ✅ Keep credentials secure and organized<br><br> ✅ Never accidentally work in the wrong account </p> <h3> Key Takeaways: </h3> <ol> <li>Use named profiles for different AWS accounts</li> <li>Use <code>direnv</code> for automatic profile switching per project</li> <li>Add visual indicators to your terminal prompt</li> <li>Never commit credentials to version control</li> <li>Rotate access keys every 90 days</li> <li>Document which profile each project uses</li> <li>Test credentials regularly</li> </ol> <h3> Recommended Setup: </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># 1. Install direnv</span> brew <span class="nb">install </span>direnv <span class="c"># 2. Add to shell</span> <span class="nb">echo</span> <span class="s1">'eval "$(direnv hook zsh)"'</span> <span class="o">&gt;&gt;</span> ~/.zshrc <span class="c"># 3. Add profile indicator to prompt</span> <span class="nb">echo</span> <span class="s1">'aws_profile() { [ -n "$AWS_PROFILE" ] &amp;&amp; echo "☁️ [$AWS_PROFILE]"; }'</span> <span class="o">&gt;&gt;</span> ~/.zshrc <span class="nb">echo</span> <span class="s1">'setopt PROMPT_SUBST'</span> <span class="o">&gt;&gt;</span> ~/.zshrc <span class="nb">echo</span> <span class="s1">'PS1='</span><span class="s2">"'"</span><span class="s1">'$(aws_profile) '</span><span class="s2">"'"</span><span class="s1">'$PS1'</span> <span class="o">&gt;&gt;</span> ~/.zshrc <span class="c"># 4. Reload shell</span> <span class="nb">source</span> ~/.zshrc <span class="c"># 5. Set up project folders with .envrc</span> <span class="nb">cd</span> ~/projects/work-app <span class="nb">echo</span> <span class="s2">"export AWS_PROFILE=work-project"</span> <span class="o">&gt;</span> .envrc direnv allow </code></pre> </div> <p>Remember: <strong>Organization leads to productivity</strong>. Spend 30 minutes setting this up, and you'll save hours of frustration and prevent costly mistakes!</p> <h2> Additional Resources </h2> <ul> <li><a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html" rel="noopener noreferrer">AWS CLI Configuration Guide</a></li> <li><a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html" rel="noopener noreferrer">AWS CLI Environment Variables</a></li> <li><a href="https://direnv.net/" rel="noopener noreferrer">Direnv Documentation</a></li> <li><a href="https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html" rel="noopener noreferrer">AWS SSO Configuration</a></li> </ul> <p><strong>Pro Tip</strong>: Consider using AWS Vault for even better security - it stores your credentials in your system's encrypted keychain instead of plain text files!</p> <p>Happy cloud computing! ☁️</p> aws devops developers cloudcomputing