Designing a flexible authorization model that includes IAM users, groups,roles, and policies

Task Statement 1.1: Design secure access to AWS resources.

📘AWS Certified Solutions Architect – (SAA-C03)

AWS provides Identity and Access Management (IAM) to control who can access your AWS resources and what they can do. This is called an authorization model. To design it correctly, you need to understand users, groups, roles, and policies.

1. IAM Users

  • Definition: A user is an individual identity in your AWS account. Each user has a unique name and can be assigned credentials (like passwords or access keys) to log in and use AWS.
  • Example:
    • Alice is a developer. You create an IAM user called AliceDev. She can log in to AWS using her credentials.
  • Key Points:
    • Every IAM user belongs to one AWS account.
    • You can give users programmatic access (via API, CLI) or console access (AWS Management Console).
    • Users should never share credentials.

2. IAM Groups

  • Definition: A group is a collection of IAM users. Groups make it easy to assign permissions to multiple users at once.
  • Example:
    • You create a group called Developers. All developers (AliceDev, BobDev) are added to this group. Instead of giving permissions individually to each user, you attach a policy to the group.
  • Key Points:
    • Users can belong to multiple groups.
    • Groups cannot be nested (i.e., you cannot put a group inside another group).
    • Best practice: Assign permissions to groups, not individual users, to simplify management.

3. IAM Roles

  • Definition: A role is an identity that you can assume temporarily. Roles are not tied to a single user, and they are often used for temporary access or cross-account access.
  • Example:
    • An EC2 instance needs to read data from an S3 bucket. Instead of giving it a user’s credentials, you attach a role to the instance with S3 read permissions.
    • Users in another AWS account can also assume a role to perform specific tasks in your account.
  • Key Points:
    • Roles can be assumed by users, services, or applications.
    • Roles use temporary security credentials.
    • Common use cases:
      1. EC2 instances accessing S3 or DynamoDB.
      2. Lambda functions needing access to databases.
      3. Cross-account access for sharing resources safely.

4. IAM Policies

  • Definition: A policy is a document (written in JSON) that defines permissions: what actions are allowed or denied on which resources.
  • Example:
    • Policy: "Allow read access to all objects in S3 bucket 'project-data'".
    • You can attach this policy to a user, group, or role.
  • Types of Policies:
    1. Managed Policies
      • AWS Managed: Provided by AWS, maintained by AWS. Example: AmazonS3ReadOnlyAccess.
      • Customer Managed: Created and maintained by your organization.
    2. Inline Policies
      • Embedded directly into a single user, group, or role. Tightly coupled with that entity.
  • Key Points:
    • Policies use allow/deny statements.
    • By default, everything is denied. You must explicitly allow permissions.
    • Use the principle of least privilege: Give only the permissions needed to do a task.

5. How These Pieces Work Together

Here’s how IAM users, groups, roles, and policies combine to create a flexible authorization model:

IAM EntityPurposeWhere it is used
UserIndividual identityAssign login credentials, attach policies directly or via groups
GroupOrganize usersAttach policies to multiple users at once
RoleTemporary identityAssign permissions to AWS services, EC2 instances, Lambda, or cross-account users
PolicyDefine permissionsAttach to users, groups, or roles to control what actions/resources are allowed

Example Scenario in IT Environment:

  1. Developers need to deploy code to EC2 and access S3 buckets.
  2. Create Users for each developer.
  3. Add all developers to a Developers Group.
  4. Attach a policy to the group: AmazonS3FullAccess and EC2ReadOnlyAccess.
  5. For automated EC2 deployment, create a Role with S3ReadWriteAccess and attach it to the EC2 instance.

This ensures:

  • Human developers have correct permissions through groups.
  • EC2 has temporary access through roles.
  • No unnecessary permanent credentials are shared.

6. Exam Tips

  • Always think least privilege first: give only the permissions needed.
  • Roles ≠ Users: Roles are temporary, users are permanent.
  • Groups = easier management: Avoid attaching policies directly to many users.
  • Know policy types: Managed vs Inline.
  • Understand assume role scenarios: cross-account access, services like EC2/Lambda.
  • Be prepared for questions like:
    • “Which IAM entity is best for temporary permissions?” → Role
    • “How do you give the same permissions to multiple users?” → Group + Policy
    • “What is the default behavior of IAM?” → Deny everything unless explicitly allowed

Summary

  • Users = individual identities
  • Groups = organize users and manage permissions collectively
  • Roles = temporary identities, often used by AWS services
  • Policies = define allowed or denied actions on AWS resources
  • Combine these to build flexible, secure access using least privilege
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by