AWS IAM: Users, Groups and Policies

IAM: Users and Groups

IAM stands for identity and access management. It is a global service(not region specific). You will create users in IAM, and one user represents one person within your organization.  The users can be grouped together if it makes sense. So let’s take an example we have an organization with 10 people. We have A1, A2, A3, A4, A5, A6 and A7 in an organization. Now A1, A2, and A3 they work together. They’re all developers. A4, A5 and A6 work together and we are creating group named Support. One important thing that you must understand is: groups can only contain users, not other groups. Some users don’t have to belong to a group. For example, A7 does not correspond to any group. That is not best practice. But it is something you can do in AWS. And also, a user can belong to multiple groups. At the same time one user can belong to multiple groups. For example A3 and A4 can belong to another group named Team Leads.

IAM: Permissions

users or groups can be assigned JSON document called policies. JSON document describes what a user is allowed to do or what a group and all the users within that group are allowed to do. An example JSON policy is given below.

  "Version": "2012-10-17",
  "Statement": [
      "Sid": "FirstStatement",
      "Effect": "Allow",
      "Action": ["iam:ChangePassword"],
      "Resource": "*"
      "Sid": "SecondStatement",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
      "Sid": "ThirdStatement",
      "Effect": "Allow",
      "Action": [
      "Resource": [
      ] }

Using this document we are allowing users to use some services in AWS. These policies defines the permissions of the users.

IAM: Policies inheritance

Earlier we have created 3 groups: Developers, Support and Team Leads. If we attach the policy to these groups then all the members in the group will get access and inherit the policy. Member A7 is not part of any group and we can create inline policy which we can attach only to a user.

IAM: Policy structure

The information in a statement is contained within a series of elements.

  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::test_bucket"
  • Version – Specify the version of the policy language that you want to use. AWS recommend to use the latest 2012-10-17 version.
  • Statement – Use this main policy element as a container for the following elements. You can include more than one statement in a policy.
  • Sid (Optional) – Include an optional statement ID to differentiate between your statements.
  • Effect – Use Allow or Deny to indicate whether the policy allows or denies access.
  • Principal (Required in only some circumstances) – If you create a resource-based policy, you must indicate the account, user, role, or federated user to which you would like to allow or deny access. If you are creating an IAM permissions policy to attach to a user or role, you cannot include this element. The principal is implied as that user or role.
  • Action – Include a list of actions that the policy allows or denies.
  • Resource (Required in only some circumstances) – If you create an IAM permissions policy, you must specify a list of resources to which the actions apply. If you create a resource-based policy, this element is optional. If you do not include this element, then the resource to which the action applies is the resource to which the policy is attached.
  • Condition (Optional) – Specify the circumstances under which the policy grants permission.

IAM: Password policy

Password policy is used to protect the AWS accounts. Using password policy we can define the conditions for passwords. For example we can define the following options.

  • Set a minimum password length.
  • Require specific character types: number, lower case letters, upper case letters etc…
  • Allow all IAM users to changes their password.
  • Require users to change their password after some time.
  • Prevent password re-use.

Other than password there is another mechanism that used to protect AWS account is MFA – Multi-Factor Authentication.

MFA – Multi-Factor Authentication

MFA is using the combination of a password that you know, and a security device that you own. These two things together, have a much greater security than just a password. MFA device can be physical or virtual. Google Authenticator is an example of virtual MFA device and Universal 2nd Factor or U2F Security Key is physical device.

Please use following blogs to know about

Create AWS Account

AWS Regions and Availability Zones

Please comment your opinions about these blogs.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top