Access Denied: What Every AWS Beginner Gets Wrong About IAM

The IAM mental model I wish someone had drawn on a whiteboard for me when I was starting out with AWS.

If you want a video to follow along with this blog, you can find it in the AWS Developers Youtube Channel

I spun up a Lambda function and tried to have it read from an S3 bucket only to get Access Denied.

This wasn't a typo or misconfiguration. I just straight up didn't understand IAM. So I did what every beginner does, I attached AdministratorAccess, the error went away, and I moved on.

What I didn't think about at the time is that I'd just given that Lambda function permission to do anything in my account. Delete databases. Create resources that cost money. Access data across every service it had no business touching. All because it needed to read from one S3 bucket.

Access Denied: What Every AWS Beginner Gets Wrong About IAM

Other newsrooms on this story

Related reading

Lambda Execution Roles Are Quietly Breaking Your Least Privilege Policy

AWS to Quick admins: The access control didn't work, but you weren't using it…

How I built an AWS Lambda clone with Firecracker microVMs

Zero-Secret CI/CD: GitHub Actions + OIDC on AWS (Part 6)

Amazon Quick: AWS's Agentic Workspace, Explained for Engineers

Building a Production Grade AWS Infrastructure Project (Part 1)