IAM User, Group & Policy

IAM User & Group

  • User represents the person or application within your organization that interacts with AWS console and services.
  • When you create an AWS account, you create an AWS account root user that we should not share with anyone.
  • We can create a user and add permission directly to the user.
  • Multiple users can be part of a group or more than one group.
  • A group is a collection of IAM users. Manage group membership as a simple list:
  • A user can belong to multiple groups but groups cannot belong to other groups.
  • Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
  • IAM users can have any combination of credentials such as an AWS access key, X.509 certificate, SSH key, password for Console, and MFA login.
  • We can also enable and disable an IAM user’s access keys.
  • Users are global entities, No region is required to be specified when you create a user.

IAM Policy

  • A policy is an object in AWS that defines the permission of the AWS User.
  • When you create an IAM user, they can’t access anything in your account until you give them permission.
  • Types of policy
  • Identity-based policies — AWS-managed policy and inline policies (customer-managed policy) that can be attached to the user, group, and role.
  • Resource-based policies — The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies.
  • Organizations service control policy (SCPs) — Permissions applied for AWS Organizations or organizational unit (OU) or entities within the member accounts.
  • Access control lists (ACLs) — ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.

Policy Structure

This is one of the examples of JSON policy.

Policy consists of

  • Version: policy language version, always include “2012 -10–17”
  • Id: an identifier for the policy (optional)
  • Statement: one or more individual statements (required)

Statements consist of (maybe one or more statements)

  • Sid: an identifier for the statement (optional
  • Effect: whether the statement allows or denies access (Allow, Deny)
  • Principal: account/user/role to which this policy applied to
  • Action: list of actions this policy allows or denies
  • Resource: list of resources to which the actions applied to
  • Condition: conditions for when this policy is in effect (optional)




DevOps Engineer

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Add Aiven database magic to your Laravel project

Software Design Patterns

Upload Image data-set to Azure Machine Learning studio from local machine !!

Lisk North America Tour 2018 Recap

Product Development Agile Methodology — Case Studies: Zomato

How To Find The Best Magento Extension Development Company?

Magento extension development company

hasta nakil ambulansı

Using SQLAlchemy and Flask to build a simple, data-driven web app

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


DevOps Engineer

More from Medium

How to set up CI/CD Pipeline for a Deploy Java WAR file to Tomcat Using Ansible with Jenkins

Integrate Jenkins with AWS — Part III

How to use Windows PowerShell to Create an Apache webserver with AWS CLI and AWS EC2

Testing Sitecore Images and Reducing Build Time