AWS IAM Users, Groups, and Roles

Users — Objects are created to represent an identity

• A user can represent a real person who requires access to operate and maintain your AWS environment
• Or it can be an account used by an application that requires permissions to access your AWS resources programmatically
• Permission can be assigned to the user or inherited from a group

Creating Users

• Users can be created via AWS Management console or programmatically(AWS CLI, IAM HTTP API, Tools for Windows Powershell)

Groups — IAM Groups are object

• IAM Groups are object like user objects
• Groups are not used in the authentication process
• They are used to authorize access through AWS Policies
• IAM Groups contains Users and have IAM policies associated

IAM Group

Creating Groups

• AWS has a default maximum limit of a hundred groups
• A user can only be associated with 10 groups

Roles — IAM Roles allow you to adopt a set of temporary IAM Permissions

IAM Role

The benefit of using IAM Role

• Roles don’t have any access keys or credentials associated with them. The credentials are dynamically assigned by AWS
• You can alter the permissions assigned to the Role and all the EC2 instances associated will have the correct access

There are currently 4 different types of Roles

1. AWS Service Role(eg. Amazon EC2, AWS Lambda)
2. AWS Service-Linked Role — there are predefined by AWS and the permissions can’t be altered in any way as they are set to perform a specific function. eg Amazon Lex Bots and Amazon Lex Channels)
3. A role for Cross-Account Access — Thie role type offers two options. Providing access between AWS accounts that you own and providing access between an account that you own with a third-party AWS account. This access is managed by policies that establish trusting and trusted accounts that explicitly allow a trusted principal to access specific resources.
4. A role for Identity Provider Access — this role offer 3 different options.
   4.1 Grants access to web identity providers — Creates a trust for Users using Amazon Cognito, Amazon, Face, Google, or other provider
   4.2 Grant Web Single Sign-On to SAML Providers — Allow access for users coming from a Security Assertion Markup Language(SAML) provider
   4.3 Grant API Access to SAML Providers — Allows access from SAML provider via the AWS CLI, SDKs, or API calls

Roles and Users

• There are circumstances where you need to grant temporary access to a resource for a particular user

How to create Users, Groups, and Roles

Nadtakan Futhoem — Sr. Software Engineer