IAM User, Group & Policy

2 min readAug 15, 2024

IAM User & Group

User represents the person or application within your organization that interacts with AWS console and services.
When you create an AWS account, you create an AWS account root user that we should not share with anyone.
We can create a user and add permission directly to the user.
Multiple users can be part of a group or more than one group.
A group is a collection of IAM users. Manage group membership as a simple list:
A user can belong to multiple groups but groups cannot belong to other groups.
Groups can be granted permissions using access control policies. This makes it easier to manage permissions for a collection of users, rather than having to manage permissions for each individual user.
IAM users can have any combination of credentials such as an AWS access key, X.509 certificate, SSH key, password for Console, and MFA login.
We can also enable and disable an IAM user’s access keys.
Users are global entities, No region is required to be specified when you create a user.

A policy is an object in AWS that defines the permission of the AWS User.
When you create an IAM user, they can’t access anything in your account until you give them permission.
Types of policy
Identity-based policies — AWS-managed policy and inline policies (customer-managed policy) that can be attached to the user, group, and role.
Resource-based policies — The most common examples of resource-based policies are Amazon S3 bucket policies and IAM role trust policies.
Organizations service control policy (SCPs) — Permissions applied for AWS Organizations or organizational unit (OU) or entities within the member accounts.
Access control lists (ACLs) — ACLs are similar to resource-based policies, although they are the only policy type that does not use the JSON policy document structure.

This is one of the examples of JSON policy.

Policy consists of

Statements consist of (maybe one or more statements)