IAM User, Group & Policy

  • User represents the person or application within your organization that interacts with AWS console and services.
  • When you create an AWS account, you create an AWS account root user that we should not share with anyone.
  • We can create a user and add permission directly to the user.
  • Multiple users can be part of a group or more than one group.
  • A group is a collection of IAM users. Manage group membership as a simple list:
  • A user can belong to multiple groups but groups cannot belong to other groups.
  • Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
  • IAM users can have any combination of credentials such as an AWS access key, X.509 certificate, SSH key, password for Console, and MFA login.
  • We can also enable and disable an IAM user’s access keys.
  • Users are global entities, No region is required to be specified when you create a user.
  • A policy is an object in AWS that defines the permission of the AWS User.
  • When you create an IAM user, they can’t access anything in your account until you give them permission.
  • Types of policy
  • Identity-based policies — AWS-managed policy and inline policies (customer-managed policy) that can be attached to the user, group, and role.
  • Resource-based policies — The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies.
  • Organizations service control policy (SCPs) — Permissions applied for AWS Organizations or organizational unit (OU) or entities within the member accounts.
  • Access control lists (ACLs) — ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.

This is one of the examples of JSON policy.

Policy consists of

  • Version: policy language version, always include “2012 -10–17”
  • Id: an identifier for the policy (optional)
  • Statement: one or more individual statements (required)

Statements consist of (maybe one or more statements)

  • Sid: an identifier for the statement (optional
  • Effect: whether the statement allows or denies access (Allow, Deny)
  • Principal: account/user/role to which this policy applied to
  • Action: list of actions this policy allows or denies
  • Resource: list of resources to which the actions applied to
  • Condition: conditions for when this policy is in effect (optional)



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store