IAM – Users, Groups, Roles, Policies

When you first create an AWS account, you are required to provide an email address that uniquely identifies your account and a login password. This combination of email address and password are referred as root user credentials of an AWS account. The root user has complete and unrestricted access to all the resources in the AWS account which is unnecessary for everyday tasks. Thus AWS recommends creating the first IAM user with admin privileges and lock away the root user credentials securely. 



IAM user is an entity representing a person or an application within an AWS account. Each IAM user within an AWS account must have a unique username and is granted either Console access or Programmatic access or both. IAM users with Console access will have a password to login to the AWS Managemnt console whereas users with Programmatic access will have a combination of Access Key ID and Secret access key that lets them programatically access and manage the AWS resources.

When first created, an IAM user does not have any privileges in the AWS account. You can control the privileges granted to each individual user at the granular level. 



IAM Groups are a collection of IAM users that can be managed together. For example, an organization can have a developers group which consists of all developer IAM users and a testers group which consists of all tester IAM users. Developer IAM users require a different set of permissions compared to tester IAM users and each group can contain a large number of users depending on the size of the organization.

See also  Shared Responsibility Model

Maintaining permissions for each individual IAM user is a cumbersome process. Instead, you can create a Group of users and assign permissions to the group which will be inherited by all the users assigned to the group. Furthermore, when an employee moves within an organization from one team to another, the IAM user can be easily reassigned to the new group to grant new set of permissions for his/her new role.



An IAM role is an IAM identity that can be assumed by another user or application or a service. IAM role does not have long-term credentials associated with it. The user or service that assumes the role will receive temporary security credentials for the session.

Who can assume an IAM role ?

  • An IAM user within the same AWS account
  • An IAM user from a different AWS account
  • Services such as EC2, Lambda, etc
  • An external user authenticated through identity providers


A policy is a JSON document that specifies the permissions. It can be attached to an IAM User, Group or a Role. Each IAM User/Group/Role can have any number of policies attached to them and these entities will receive the combination of all permissions specified in all the policies attached.

AWS provides a dictionary of AWS Managed policies that you can attach to an IAM entity. Customers can also create Customer Managed policies and attach them to IAM entities as required. You can also create In-line policies and embed them directly into IAM entities.

There are 2 types of policies:

  • Identity-based policies
  • Resource-based polices
See also  AWS Global Infrastructure

Identity based policies are the policies attached to IAM entities such as Users, Groups and Roles whereas Resource based policies are the ones attached to AWS resources such as S3 buckets. All resource based policies are in-line policies.