IAM best practices in AWS - Time & Space Complexity

We want to understand how the time to manage permissions grows as we add more users and roles in IAM.

How does the number of permission checks or policy updates change when the system grows?

Analyze the time complexity of the following IAM operations.

# Create multiple IAM users
for i in range(1, n+1):
    iam.create_user(UserName=f'user{i}')

# Attach policies to each user
for i in range(1, n+1):
    iam.attach_user_policy(UserName=f'user{i}', PolicyArn='arn:aws:iam::aws:policy/ReadOnlyAccess')

# Check permissions for each user
for i in range(1, n+1):
    iam.simulate_principal_policy(PrincipalArn=f'arn:aws:iam::123456789012:user/user{i}', ActionNames=['s3:GetObject'])
    

This sequence creates users, attaches policies, and checks permissions for each user.

• Primary operation: Creating users, attaching policies, and simulating permission checks.
• How many times: Each operation runs once per user, so n times.

As you add more users, the number of API calls grows directly with the number of users.

Input Size (n)	Approx. Api Calls/Operations
10	30 (10 create + 10 attach + 10 check)
100	300 (100 create + 100 attach + 100 check)
1000	3000 (1000 create + 1000 attach + 1000 check)

Pattern observation: The total operations increase linearly as the number of users increases.

Time Complexity: O(n)

This means the time to manage IAM users and policies grows directly with the number of users.

[X] Wrong: "Adding more users won't affect how long permission checks take because policies are shared."

[OK] Correct: Each user requires separate API calls for creation, attaching policies, and permission checks, so time grows with users.

Understanding how IAM operations scale helps you design systems that stay efficient as they grow, a key skill in cloud roles.

What if we changed from attaching policies to each user individually to using groups? How would the time complexity change?