AWS IAM Decision Mindmap |

🎯 1. What level are you controlling?

🔹 A. Account / Organization level

Keywords:

“limit an account”
“restrict services across accounts”
“govern multiple accounts”

👉 Use: AWS Organizations + SCP

🔹 B. User / Role level

Keywords:

“user can access…”
“role permission…”
“least privilege”

👉 Use: IAM Policy

🔹 C. Cross-account access

👉 Check next 👇

🔍 2. Does the service support Resource Policy?

✅ YES → Use Resource Policy

Examples: S3, SQS, SNS, Lambda

Pros:

No STS needed
Simpler
Lower latency

❌ NO → Use STS AssumeRole

Pattern: Account A → AssumeRole (Account B) → Access resource

Cons:

More complex
Higher latency

Keywords:

“users sign in”
“centralized access”

👉 Use: IAM Identity Center

🏢 4. Corporate identity?

Keywords:

“Active Directory”
“Okta”

👉 Use: Microsoft AD / Federation

⚡ Cheat Sheet

Keyword	Solution
limit account	SCP
cross-account simple	Resource Policy
cross-account complex	STS
SSO	IAM Identity Center
user permission	IAM

🧠 Mental Model

Organization (SCP)
→ IAM
→ STS
→ Resource Policy

💣 Common Traps

“efficiently” → Resource Policy
“entire account” → SCP
“centralized access” → IAM Identity Center

🎯 1. What level are you controlling?#

🔹 A. Account / Organization level#

🔹 B. User / Role level#

🔹 C. Cross-account access#

🔍 2. Does the service support Resource Policy?#

✅ YES → Use Resource Policy#

❌ NO → Use STS AssumeRole#

🔐 3. Is this about login / SSO?#

🏢 4. Corporate identity?#

⚡ Cheat Sheet#

🧠 Mental Model#

💣 Common Traps#

🎯 1. What level are you controlling?

🔹 A. Account / Organization level

🔹 B. User / Role level

🔹 C. Cross-account access

🔍 2. Does the service support Resource Policy?

✅ YES → Use Resource Policy

❌ NO → Use STS AssumeRole

🔐 3. Is this about login / SSO?

🏢 4. Corporate identity?

⚡ Cheat Sheet

🧠 Mental Model

💣 Common Traps