When we first started building on AWS, we gave everything AdministratorAccess . ECS task? AdministratorAccess . Lambda function? AdministratorAccess . CI/CD pipeline? Same thing. It worked. Everything could talk to everything. We shipped fast. Then we read about a startup whose leaked CI/CD credentials let an attacker spin up $50,000 worth of crypto-mining EC2 instances over a single weekend. The leaked role had AdministratorAccess . That's when we actually sat down and learned IAM. This guide is what we wish someone had handed us on day one. No certification jargon, no 47-page docs. Just the mental models, real examples, and copy-paste policies you need to lock down your AWS setup as a web developer. Why IAM Matters (Even If You're "Just a Developer") IAM (Identity and Access Management) controls who can do what on which AWS resources. It's not a DevOps-only thing. It's the backbone of your entire AWS security setup. Every AWS API call goes through IAM.…