IAM Core Concepts - Users, Groups, Roles and Policies

Authentication is done in IAM through following core concepts: users, groups or roles, and authorization is done through policies.


Users and Groups

Users and groups control an individual's access to AWS services. 

IAM Users can be grouped into Groups



We can attach roles to services.

Roles allow

  1. one AWS service to interact with another,

  2. one AWS account to interact with another (Cross Account Access), or

  3. for Identity provider (IdP) access service compatible with SAML 2.0 or OpenID Connect, or a custom-built identity broker, etc.

E.g. A role can be used to allow EC2 instance to write to S3 bucket.

Read more about roles here.



IAM Users, IAM Groups and IAM Roles use policies to do authorization (granting permissions). 

Permissions are granted using policy documents that you attach to users, groups, or roles.

You can create custom permissions (e.g. setup password rotation policies.) or use a predefined policy template (e.g. Administrator Access, Amazon EC2 Full Access).

You can also grant permissions for users outside of AWS (federated users). For instance, you can request security credentials with configurable expirations for users who you manage in your corporate directory. You can also use Identity Federation with Facebook, Linkedin etc. Read more here.


Policies are categorized as managed policies or inline policy.

  1. Managed policies

    1. are reusable policies. 

    2. can be AWS managed policy or Customer managed policy.

  2. Inline policies 

    1. belong to a particular role, user or group

    2. is easy to maintain inline policies with CloudFormation.


Important Points (Exam Tips)

  1. IAM Users can be grouped into Groups, but not IAM Roles.  

  2. We can attach roles to services, but users cannot be attached to services. E.g. IAM roles can be associated with an EC2 instance, IAM users cannot be associated with an EC2 instance.

  3. IAM users can have password, access key, whereas, IAM roles do not have password or access key.

Learn Serverless from Serverless Programming Cookbook


Please first use the contact form or facebook page messaging to connect.

Offline Contact
We currently connect locally for discussions and sessions at Bangalore, India. Please follow us on our facebook page for details.
WhatsApp (Primary): (+91) 7411174113
Phone (Escalations): (+91) 7411174114

Business newsletter

Complete the form below, and we'll send you an e-mail every now and again with all the latest news.


Cloudericks.com is my blog to share notes and learning materials on Cloud and Data Analytics. My current focus is on Amazon Web Services.

I like to write. I try to document what I learn and share with others. I believe that knowledge is useless unless you share it; the more you share, the more you learn.

Recent comments

Photo Stream