Notes on AWS Users, Groups, Roles, and Policies

updated: December 29, 2020

AWS Identity and Access Management (IAM) is probably the most important service AWS offers. It's necessary security, user management, and to connect any other AWS service with another one. Permissions are managed through a complex system involving users, groups, roles, and policies.

The functionality of users, groups, roles, and policies overlap considerably. Policies can be either placed inline or managed externally. Also, users, groups, and roles can be connected to one another. To illustrate various relationships, users, groups, roles, policies, and permission boundaries, have all been described and outlined below. The outlines summarize the features available through the AWS Management Console.

Users
An entity capable of connecting to and interacting with AWS.
Outline Of Features:
Inline Policy
Attaches To:
Policies
Permissions Boundary
Groups
Security Credentials
Access Advisor
Tags

Roles
A set of permissions that are restricted by a trust policy. The trust policy restricts which entities are able to assume the role. Roles are typically assumed by an AWS service, however, they can also be assumed by a user, group, or an AWS account.
Outline Of Features:
Inline Policy
Trust Policy
Attaches To:
Policies
Permissions Boundary
Access Advisor
Revoke Session
Tags

Groups

A set of permissions that are given only to users.

Outline Of Features:

Inline Policy

Attaches To:

Policies

Users

Access Advisor

Policies

The primary mechanism for storing and organizing policies.

Outline Of Features:

Inline Policy

Attaches To:

Users

Roles

Groups

Versioning

Access Advisor

Permissions Boundary

A type of policy. It limits what permissions an entity can attain.

Outline Of Features:

Attaches To:

Users

Roles