Basics of AWS IAM: Users, Groups, Policies

Basics of AWS IAM: Users, Groups, Policies

This Blogpost is a simple primer or refresher on the basics of IAM like users, groups and policies.

IAM is a tool inside AWS that helps in managing all the aspects of your architecture related to identities, policies, etc.

Let us begin with IAM Policies.

IAM Policies: A policy is an object in AWS that when associated with an identity or resource defines its permissions.

For Eg: When a user Sam is Assigned an IAM policy he may get many new powers(permissions) and limitations as well. He may have access to many services and resources inside AWS at the same time his access can be limited at how he can use them.

There are two types of IAM policies:

  1. Inline Policies
  2. Managed Policies

Inline Policies are used only when special or exceptional permissions need to be applied. If a permission or policy needs to be applied only to a particular user/group then we assign an inline policy to it either at the time of creation of the identity or after its creation.

Managed Policies are of two types:

  1. AWS Managed Policies: Managed by AWS
  2. Customer policies : Managed by customers

When a policy is to be applied to a large no. of users or identities applying policies to each individual becomes difficult so we apply Managed policies.

Managed policies are reusable in the sense once they are created they can be applied to any user or group but when it comes to inline policies it is user/group-specific and it cannot be used elsewhere.

Another important aspect when it comes to applying policies is the order of precedence.

Explicit Deny

Explicit Allow


Explicit Deny>>Explicit Allow>>Deny

If a particular policy explicitly denies a user access to a resource that takes precedence over anything else where the user is explicitly allowed.

If there is no mention of explicit allow or deny AWS by default denies access to the resource.

IAM Users:- They are an identity used for anything requiring long-term AWS access. Eg:- Humans, Applications, or Service Accounts.

There can be 5000 IAM users per account. If you need more users then you can send an email to the AWS support to increase the no. of users.

An IAM user can be a part of 10 groups.

IAM Groups: IAM groups are containers for users.

  • There can be 300 groups per account. A resource policy cannot grant access to a group.
  • There is no default group as such with all users in one group. You can add all users in an A/C to one IAM group. There is no nesting of groups allowed in AWS.

IAM Roles

  • A role is an identity assumed for a small period of time.
  • IAM role is used when the identity(user/application) has multiple entities.
  • IAM role represents a level of access inside the AWS account.

There are two parts of an IAM Role

Trust Policy

Permission Policy

Trust Policy: This decided which identities assume a particular role.
If an identity is allowed to assume roles by the IAM then it gives them temporary security credentials.

These credentials are time limited. So everytime the temporary credentials are used, the access is checked against this permission policy.

We use IAM roles when external on-premise accounts try to access the AWS resources. They assume a role that gives temporary credentials to access these resources.