AWS IAM Cheatsheet

Top commands.

Overview

The IAM CLI cheatsheet captures the patterns operators actually use during identity and access investigation. Roles are easy to create and hard to audit; fluency at the IAM CLI is what turns "we have IAM" into "we know what IAM permits."

• Top commands. get-caller-identity, list-roles, simulate-principal-policy, get-role-policy; the four investigation paths.
• get-caller-identity. Verify which identity is acting; the safeguard against the profile mistake during a deploy or remediation.
• simulate-principal-policy. Test what a principal can do without granting it; the audit primitive built into IAM.
• Access Analyzer plus STS AssumeRole. Access Analyzer surfaces over-broad permissions; STS supports cross-account role assumption.

The approach

The practical approach: verify identity first, simulate before deploying, narrow with policy conditions. The team’s discipline produces tight permissions, not just present permissions.

• aws sts get-caller-identity. First call before any production-affecting command; the safeguard that costs nothing.
• aws iam simulate-principal-policy. Test policy effect against the live policy graph; faster than deploy-and-pray.
• aws iam list-attached-role-policies. What policies does this role have; first call when investigating a role’s effective permissions.
• aws iam get-role-policy. Inline policy detail; together with the attached list, the full picture of a role’s grant.
• Document the role. Per-role rationale committed to the repo; supports operational reviews and audit response.

Why this compounds

IAM fluency compounds across investigations. Each query teaches AWS access patterns; identity expertise accrues; audit response gets cheaper as the team’s muscle grows.

• Better security posture. Fluent IAM catches over-broad permissions; the principle of least privilege becomes auditable.
• Faster investigation. Per-principal queries support incident response; "what could this credential have done?" gets answered in seconds.
• Better compliance. IAM evidence supports audits; SOC 2 and ISO 27001 evidence collection drops from weeks to hours.
• Institutional knowledge. Each query teaches IAM patterns; the team’s identity engineering muscle grows.

IAM fluency is an operational discipline that pays off across years. Nova AI Ops integrates with IAM telemetry, surfaces patterns, and supports the team’s identity discipline.