AWS Identity and Access Management (IAM) helps you control access to your AWS resources.

When you first create an AWS Account, you have complete access to all AWS services and resources in that account. This identity is the root user for the account. An IAM identity provides access to an AWS account.

This article will dive deeper into the three IAM Identities (Users, Groups, and Roles) and understand their differences.

Table of contents

What is an IAM User?

An IAM user is an entity that represents a person or application that interacts with AWS services.

IAM users can log in to the AWS Management Console for interactive tasks, as well as the ability to make programmatic requests using the API & CLI. IAM Users can be assigned permissions directly or be part of a group with specific permissions.

An IAM user has a name and password that they use to log in to the AWS management console. Users can also create up to two access keys that they can use to for programmatic access to AWS.

What are IAM Groups?

An IAM group is a collection of users that share access control policies. The group members have permission to perform specified actions on objects within the group’s scope. For example, if you grant read-only access to all of your EC2 instances, then any group member will be able to view information about those instances.

What is an AWS IAM Role?

IAM roles are identities you can create with specific permissions for short durations. You can assign IAM roles to entities you trust so that those entities can assume the role when needed. IAM Roles are primarily meant for internal use.

An IAM role has no associated credentials (password or access keys). The lack of credentials is one of the main differences between a User and a Role. A role can be temporarily assumed by a user, service, or application that has been granted permission to assume the role.

When to use each Identity:

IAM User

IAM Users are for external access and are meant for people. You should create an IAM User for the following situations:

  • Creating your first IAM User: You should not use the root account. You should create a new IAM user with the required permissions to access the AWS Management console.
  • IAM users can be assigned broad permissions to access multiple AWS services.

However, IAM users should not be used for internal access. For example, an IAM user should not be used to make requests to AWS from an application running on EC2.

IAM Groups

You should use IAM Groups when you want to assign permissions to multiple IAM users. For example, you can create a group called developers and add all developers to that group. You can then assign permissions to the developers group. You can add additional permissions to the group later by modifying the group’s policy.

IAM Roles

IAM Roles are meant for internal access where you want to grant permissions to an entity that you trust. IAM Roles use temporary security credentials for accessing AWS services. For example, you can create an IAM Role that allows an EC2 instance to access an S3 bucket. You can then assign the IAM Role to the EC2 instance.

You should create an IAM Role when you are creating an application that runs in AWS and needs to make requests to other AWS Services.


In this article, we looked at the differences between IAM Users, Groups, and Roles. We also looked at when to use each identity.