What are the differences between IAM roles and IAM policies?
AWS Identify and Access Management (IAM) provides fine-grained permissions to AWS services and resources.
In this article, we will take a closer look at the following IAM concepts:
Table of contents
- What is IAM?
- What is an IAM Role?
- What is an IAM Policy?
- IAM Roles vs. Policies
What is IAM?
AWS Identity and Access Management (IAM) is a service provided by AWS that lets you control access to your AWS resources. IAM enables you to control who can access your resources (authentication) and in which ways (authorization).
Authentication in IAM
Authentication or identity management in AWS IAM consists of the following identities:
- Users: An IAM user interacts with your AWS resources from the AWS console and the AWS CLI. By default, a new IAM user has no access to any AWS resource.
- Groups: An IAM group consists of IAM users and permissions assigned to those users.
- Roles: An IAM role is an entity with a specific set of permissions.
Authorization in IAM
IAM Policies determine authorization or access management in IAM by granting specific permissions to various IAM identities.
What is an IAM Role?
An IAM role is an IAM identity that you can create in your AWS account and assign specific permissions.
An IAM role is similar to an IAM because it is an IAM identity that has specific permissions associated with it. These permissions determine what the identity can and cannot do.
However, one significant difference between an IAM role and an IAM user is that a role is assumable by anyone who needs it. A role does not have standard long-term credentials (like passwords) associated with it. AWS generates temporary security credentials when an IAM role is assumed.
What is an IAM Policy?
An IAM policy is a document with a set of rules. Each IAM policy grants a specific set of permissions.
Policies are attached to IAM identities like Users, Groups, and Roles. Each IAM policy has a unique name.
There are two types of policies in your AWS account:
Managed policies: These policies can be reused and attached to multiple entities. AWS provides a lot of managed policies by default. Customers can also create their own managed policies.
Inline policies: These policies are applied directly to IAM entities. However, these policies are not reusable and cannot be attached to multiple entities.
IAM Roles vs. Policies
IAM Roles manage who has access to your AWS resources, whereas IAM policies control their permissions.
A Role with no Policy attached to it won’t have to access any AWS resources.
A Policy that is not attached to an IAM role is effectively unused. Permissions listed in an IAM policy are only enforced when that policy is attached to an IAM identity.
Therefore, you should IAM roles and policies together to manage the security of your AWS resources.