AWS IAM Users, Groups, and Roles

  • A user can represent a real person who requires access to operate and maintain your AWS environment
  • Or it can be an account used by an application that requires permissions to access your AWS resources programmatically
  • Permission can be assigned to the user or inherited from a group
  • Users can be created via AWS Management console or programmatically(AWS CLI, IAM HTTP API, Tools for Windows Powershell)
  • IAM Groups are object like user objects
  • Groups are not used in the authentication process
  • They are used to authorize access through AWS Policies
  • IAM Groups contains Users and have IAM policies associated
IAM Group
  • AWS has a default maximum limit of a hundred groups
  • A user can only be associated with 10 groups
IAM Role
  • Roles don’t have any access keys or credentials associated with them. The credentials are dynamically assigned by AWS
  • You can alter the permissions assigned to the Role and all the EC2 instances associated will have the correct access
  1. AWS Service Role(eg. Amazon EC2, AWS Lambda)
  2. AWS Service-Linked Role — there are predefined by AWS and the permissions can’t be altered in any way as they are set to perform a specific function. eg Amazon Lex Bots and Amazon Lex Channels)
  3. A role for Cross-Account Access — Thie role type offers two options. Providing access between AWS accounts that you own and providing access between an account that you own with a third-party AWS account. This access is managed by policies that establish trusting and trusted accounts that explicitly allow a trusted principal to access specific resources.
  4. A role for Identity Provider Access — this role offer 3 different options.
    4.1 Grants access to web identity providers — Creates a trust for Users using Amazon Cognito, Amazon, Face, Google, or other provider
    4.2 Grant Web Single Sign-On to SAML Providers — Allow access for users coming from a Security Assertion Markup Language(SAML) provider
    4.3 Grant API Access to SAML Providers — Allows access from SAML provider via the AWS CLI, SDKs, or API calls
  • There are circumstances where you need to grant temporary access to a resource for a particular user
How to create Users, Groups, and Roles
Nadtakan Futhoem — Sr. Software Engineer




Founder of & Serverless Cloud developer. Follow me on Twitter

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why Type Your Arguments In Python?

How To Get FREE HTTPS in 10 Minutes with Let’s Encrypt and Certbot

Adding an https proxy server in 5 minutes — Docker and Traefik

Redirecting standard output streams to a file in C

Foreword | Crunching Data for Absolute Beginners: Learn to Code with Microsoft M-Language for Excel

Deep Dive Into Step Functions in Relation To HPC

Why is offshore development center cost-effective and a step further in quality?

Uncertainty and the Art of Business Planning

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nadtakan Futhoem

Nadtakan Futhoem

Founder of & Serverless Cloud developer. Follow me on Twitter

More from Medium

Let us Build the Wall of WAF

AWS-How to Launch an EC2 Instance in a Virtual Private Cloud (VPC)

What is AWS and Why Companies Want Cloud Computing Shift!

Cloud Benefits