Facebook Pixel

AWS IAM and Least Privilege for Node.js Secure Your App's AWS Access

Learn how to use AWS IAM to give your Node.js application the minimum permissions it needs IAM users, roles, policies, and best practices.

AWS IAM and Least Privilege for Node.js

IAM (Identity and Access Management) controls who can access your AWS resources. Following the principle of least privilege means giving your Node.js app only the permissions it needs.

What Is IAM?

IAM manages:

  • Users People or applications that need AWS access
  • Groups Collections of users with shared permissions
  • Roles Temporary credentials for EC2, Lambda, etc.
  • Policies JSON documents defining permissions

IAM Users vs Roles

IAM User: Long-lived credentials (access key + secret key). Used for:

  • CLI access from your laptop
  • Applications running outside AWS

IAM Role: Temporary credentials assumed by AWS services. Used for:

  • EC2 instances
  • Lambda functions
  • ECS containers

For Node.js on EC2, always use IAM roles no credentials in .env.

Creating an IAM Role for EC2

  1. Go to AWS Console → IAM → Roles → Create role
  2. Choose "AWS service" → "EC2"
  3. Attach policies:
    • AmazonSESFullAccess (or custom SES policy)
    • AmazonS3FullAccess (if using S3)
  4. Name it "devtinder-ec2-role"
  5. Create

Attaching the Role to EC2

  1. Go to EC2 → Instances → Select your instance
  2. Actions → Security → Modify IAM role
  3. Select "devtinder-ec2-role"
  4. Save

Now your Node.js app can use AWS services without credentials in .env:

// No credentials needed uses the EC2 IAM role const { SESClient } = require("@aws-sdk/client-ses"); const sesClient = new SESClient({ region: "us-east-1" });

Custom IAM Policies (Least Privilege)

Instead of AmazonSESFullAccess (too broad), create a custom policy:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ses:SendEmail", "ses:SendTemplatedEmail", "ses:SendRawEmail" ], "Resource": [ "arn:aws:ses:us-east-1:123456789012:identity/yourdomain.com", "arn:aws:ses:us-east-1:123456789012:configuration-set/devtinder" ] }, { "Effect": "Allow", "Action": [ "ses:GetSendQuota", "ses:GetSendStatistics" ], "Resource": "*" } ] }

This only allows sending emails from your verified domain not creating new identities or changing settings.

IAM Best Practices

  1. Least privilege Only grant the minimum permissions needed
  2. Use roles on EC2 No access keys in .env
  3. Use groups for users Assign permissions to groups, not individuals
  4. Enable MFA Multi-factor authentication for all IAM users
  5. Rotate access keys Every 90 days for users who need them
  6. Use IAM Access Analyzer Find unintended access
  7. Don't use root account Create IAM users instead
  8. Audit regularly Review permissions and remove unused ones

Common IAM Policies for Node.js

SES (email sending):

{ "Effect": "Allow", "Action": ["ses:SendEmail", "ses:SendTemplatedEmail"], "Resource": "arn:aws:ses:us-east-1:123456789012:identity/yourdomain.com" }

S3 (file storage):

{ "Effect": "Allow", "Action": ["s3:GetObject", "s3:PutObject", "s3:DeleteObject"], "Resource": "arn:aws:s3:::devtinder-uploads/*" }

Secrets Manager:

{ "Effect": "Allow", "Action": ["secretsmanager:GetSecretValue"], "Resource": "arn:aws:secretsmanager:us-east-1:123456789012:secret:devtinder/*" }

The Takeaway

IAM secures your Node.js app's AWS access. Use IAM roles on EC2 (no credentials in .env), follow least privilege (only grant minimum permissions), create custom policies instead of using broad managed policies, enable MFA for users, rotate access keys, and audit regularly. This prevents unauthorized access even if your app is compromised.

IAM (Identity and Access Management) controls who can access your AWS resources. It manages users (long-lived credentials), roles (temporary credentials for EC2/Lambda), groups (collections of users), and policies (JSON documents defining permissions).

Always use IAM roles for EC2. Roles provide temporary credentials that rotate automatically no access keys in .env. The AWS SDK on EC2 automatically uses the attached role's credentials. IAM users with access keys are for CLI access from your laptop or applications outside AWS.

Least privilege means granting only the minimum permissions needed. Instead of AmazonSESFullAccess (which allows everything), create a custom policy that only allows ses:SendEmail from your specific domain. This limits damage if credentials are compromised.

Go to IAM → Policies → Create policy. Use the JSON editor to specify Effect (Allow/Deny), Action (e.g., ses:SendEmail), and Resource (e.g., ARN of your verified domain). Attach the policy to your EC2 role or IAM user. Test with the IAM Policy Simulator.

Use roles on EC2 (not access keys), follow least privilege (custom policies, not broad managed ones), enable MFA for all users, rotate access keys every 90 days, don't use the root account, use groups for user permissions, use IAM Access Analyzer to find unintended access, and audit regularly.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.