Users versus Roles versus Groups in IAM

    It is important for you to understand the differences between users, groups, and roles and their overall purposes within access control. This will help you architect and implement the most appropriate and effective access control for users and identities.

In AWS IAM, users represent individual identities, such as team members or applications, that interact with AWS resources. Each user is assigned a unique username and security credentials, which can include passwords or access keys. Users can be granted specific permissions to access and perform actions on AWS resources. For example, you can create a user named Emma and permit them to manage EC2 instances. Users are typically used to grant access to specific individuals or applications within your environment.

Roles, on the other hand, are used to grant temporary permissions to entities assuming those IAM roles, such as users or AWS services. Roles are not assigned to specific individuals but are assumed by trusted entities when needed. They enable secure delegation of access without the need to share long-term credentials. For example, you can create a Lambda Developer role and then define the permissions required to develop and deploy AWS Lambda functions. Then, users or services can assume this role temporarily to gain the necessary permissions. Roles are beneficial in scenarios where users or services need to access AWS resources on an as-needed basis that does not grant permanent access keys or passwords.

Groups are logical collections of users. Instead of assigning permissions to individual users, you can create groups and set permissions to those groups. This approach helps simplify permissions management, especially when multiple users require the same level of access to AWS resources. For example, you can create a DatabaseAdmins group that contains permissions to manage specific AWS services. You can then add multiple users to that group, and they will inherit the permissions assigned to it. By using groups, you can easily manage and update permissions for multiple users at once, ensuring consistent access.

Figure shows the hierarchy of IAM. Identities are composed of users, groups, and roles, and groups are made up of one or more users. IAM authorizes its identities using permissions, which comprise policies, and policies are made up of statements. With an understanding of the different identities that can authenticate using the IAM service and how they get their authorizations.

Thant Zin Phyo@Cracky (MCT, MCE, MVP)