Open in app

Sign in

Write

Sign in

Love Reddy Isireddy
3 min readSep 9, 2024

AWS IAM Criss Cross Relationships 🔀➰

1. User and Group Relationships

  • A user can belong to multiple groups:

This allows flexibility in assigning multiple sets of permissions through different groups.

  • A user doesn’t have to belong to a group:

You can assign individual policies directly to a user without using groups.

  • Groups can contain multiple users:

This is helpful for managing permissions at a group level instead of assigning policies individually to users.

  • A group cannot contain another group:

Groups are flat structures. There’s no nesting or hierarchy between groups.

2. User and Role Relationships

  • A user cannot be assigned to a role directly:

Users can assume roles temporarily but cannot be “attached” to a role like they are to groups.

  • A user can assume multiple roles:

A user can temporarily take on the permissions of multiple roles as needed (e.g., cross-account access).

  • A role can be assumed by multiple users:

Multiple users can assume the same role, giving them temporary access to the same permissions.

  • A user can have both inline and managed policies:

You can assign inline policies (specific to the user) or managed policies (reusable) directly to users.

3. Group and Role Relationships

  • A group cannot assume a role:

Only users or services can assume roles, not groups. Roles are more commonly used for temporary access across accounts or services.

  • A group cannot have inline or managed policies attached directly:

Groups themselves don’t assume roles or have direct roles. Instead, policies are attached to the group, and members inherit those permissions.

4. Role and Role Relationships

  • A role can assume another role:

You can set up role-chaining, where a role assumes another role, though this should be done carefully to avoid security complications.

  • Roles can have inline and managed policies:

Roles can be granted permissions via both inline and managed policies, much like users.

5. Policy Relationships (Between Users, Roles, Groups)

  • A policy can be attached to a user, group, or role:

Policies define permissions and can be associated with any of these entities. The policy defines what the entity is allowed or not allowed to do.

  • Inline policies are entity-specific:

They are tied to a specific user, role, or group, and cannot be reused.

  • Managed policies can be reused:

Managed policies can be attached to multiple users, groups, or roles, providing a reusable permission set.

6. Trust Relationship in Roles

  • Roles have trust policies:

Trust policies define who can assume the role (e.g., specific users, services, or accounts). This is how cross-account or cross-service access is granted.

  • Users need permission to assume roles:

Users must have explicit permission (usually via the sts:AssumeRole action) to assume a role.

7. Temporary vs. Permanent Permissions

  • Roles provide temporary credentials:

When a user assumes a role, they receive temporary security credentials with limited validity.

  • Users and groups provide permanent credentials:

Permissions associated with users or groups are permanent, unless explicitly revoked or changed.

8. Service Roles and Users

  • Service roles are assumed by AWS services:

These roles grant AWS services (e.g., Lambda, EC2) permissions to interact with other services on your behalf.

  • Users do not directly interact with service roles:

These are handled automatically by AWS services, but users may configure or define these roles.

Love

Aws Iam
Love Reddy Isireddy

Written by Love Reddy Isireddy

8 Followers

Cloud & DevOps Core Engineering

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams