AWS IAM Users, Groups, and Roles

  • A user can represent a real person who requires access to operate and maintain your AWS environment
  • Or it can be an account used by an application that requires permissions to access your AWS resources programmatically
  • Permission can be assigned to the user or inherited from a group
  • Users can be created via AWS Management console or programmatically(AWS CLI, IAM HTTP API, Tools for Windows Powershell)
  • IAM Groups are object like user objects
  • Groups are not used in the authentication process
  • They are used to authorize access through AWS Policies
  • IAM Groups contains Users and have IAM policies associated
IAM Group
  • AWS has a default maximum limit of a hundred groups
  • A user can only be associated with 10 groups
IAM Role
  • Roles don’t have any access keys or credentials associated with them. The credentials are dynamically assigned by AWS
  • You can alter the permissions assigned to the Role and all the EC2 instances associated will have the correct access
  1. AWS Service Role(eg. Amazon EC2, AWS Lambda)
  2. AWS Service-Linked Role — there are predefined by AWS and the permissions can’t be altered in any way as they are set to perform a specific function. eg Amazon Lex Bots and Amazon Lex Channels)
  3. A role for Cross-Account Access — Thie role type offers two options. Providing access between AWS accounts that you own and providing access between an account that you own with a third-party AWS account. This access is managed by policies that establish trusting and trusted accounts that explicitly allow a trusted principal to access specific resources.
  4. A role for Identity Provider Access — this role offer 3 different options.
    4.1 Grants access to web identity providers — Creates a trust for Users using Amazon Cognito, Amazon, Face, Google, or other provider
    4.2 Grant Web Single Sign-On to SAML Providers — Allow access for users coming from a Security Assertion Markup Language(SAML) provider
    4.3 Grant API Access to SAML Providers — Allows access from SAML provider via the AWS CLI, SDKs, or API calls
  • There are circumstances where you need to grant temporary access to a resource for a particular user
How to create Users, Groups, and Roles
Nadtakan Futhoem — Sr. Software Engineer

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store