Understanding AWS IAM User, Policy, Group, and Role

Posted: | Last updated: | 1 minute read

This blog helps you to understand AWS IAM Users, Groups, and Roles in simplest way.

What is AWS IAM?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources.

How IAM helps?

User’s Authentication (signed in) and authorization (has permissions) to use resources can be controlled through IAM.

When you first create an AWS account, you begin with a single sign-in identity that has complete access to all AWS services and resources in the account. This default user is called root user.

What is IAM User?

IAM User will helps you with the question “Who is that user?”. Instead of sharing your root user credentials with others, you can create individual IAM users within your account that correspond to users in your organization.


IAM users are not separate accounts; they are users within your account, with limited access to the account.

What is IAM Policy?

Policies either grant or deny the ability to call a specific method on a specific resource in the AWS API.

  • Applied to Roles, Groups or Objects (ie S3)
  • Uses JSON format
  • Describe the level of access applied to an AWS resource by an AWS resource or user

What is IAM Group?

An IAM group is a collection of IAM users. Groups let you specify permissions for multiple users, which can make it easier to manage the permissions for those users.

AWS IAM Groups and Users

What is IAM Roles?

An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS.

  • Used to delegate access to AWS Resources
  • Can be assigned to an AWS Resource (ie EC2 instance) or third party accounts (ie. another AWS account or SAML 2.0)
  • Up to 10 policies can be assigned to a role (this is new, it used to be 2)
  • An IAM role can be assigned to an AWS Directory Service user or group.

IAM Features

IAM is most popular feature provided by Amazon Web Service. Following are the features of AWS.

  • Shared access to your AWS account
  • Granular permissions
  • Secure access to AWS resources for applications that run on Amazon EC2
  • Multi-factor authentication (MFA)
  • Identity federation
  • Identity information for assurance
  • Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
  • Integrated with many AWS services
  • Eventually Consistent