Start tracking your progress
Trailhead Home
Trailhead Home

Manage IAM Users and Groups

Learning Objectives

After completing this unit, you will be able to:

  • Explain the function of IAM users.
  • Explain the uses and benefits of IAM groups.

Now that you know to use IAM instead of sharing root user credentials, you’re still left with the following problems.

  • You want to create an identity you can use instead of the root user.
  • You want to give other users access to your account to work on your cat photo application.

First, let’s take a look at the terminology of IAM users and groups.

What Is an IAM User?

An IAM user represents a person or service that interacts with AWS. You define the user within your AWS account. And any activity done by that user is billed to your account. Once you create a user, that user can sign in to gain access to the AWS resources inside your account. 

You can also add more users to your account as needed. For example, for your cat photo application, you could create individual users in your AWS account that correspond to the people who are working on your application. Each person should have their own login credentials. Providing users with their own login credentials prevents sharing of credentials.

IAM User Credentials

An IAM user consists of a name and a set of credentials. When creating a user, you can choose to provide the user:

  • Access to the AWS Management Console
  • Programmatic access to the AWS Command Line Interface (AWS CLI) and AWS Application Programming Interface (AWS API)

To access the AWS Management Console, provide the users with a user name and password. For programmatic access, AWS generates a set of access keys that can be used with the AWS CLI and AWS API. IAM user credentials are considered permanent, in that they stay with the user until there’s a forced rotation by admins.

A screenshot of the IAM user creation process in AWS, showing a field for user name and checkboxes for access type

When you create an IAM user, you have the option to grant permissions directly at the user level. 

three IAM users with permissions directly attached to them

This can seem like a good idea if you have only one or a few users. However, as the number of users helping you build your cat photo application increases, it becomes more complicated to keep up with permissions. For example, if you have 3,000 users in your AWS account, administering access becomes challenging, and it’s impossible to get a top-level view of who can perform what actions on which resources.

If only there were a way to group IAM users and attach permissions at the group level instead. Guess what: There is!

What Is an IAM Group?

An IAM group is a collection of users. All users in the group inherit the permissions assigned to the group. This makes it easy to give permissions to multiple users at once. It’s a more convenient and scalable way of managing permissions for users in your AWS account. This is why using IAM groups is a best practice. 

If you have a cat photo application that you’re trying to build and have multiple users in one account working on the application, you might decide to organize these users by job function. You might want IAM groups organized by developers, security, and admins. You would then place all of your IAM users in the respective group for their job function.

This provides a better view to see who has what permissions within your organization and an easier way to scale as new people join, leave, and change roles in your organization.

Three IAM groups: developers, security, and admins; each group consisting of one IAM user with different permissions attached to each group

 Consider the following examples.

  • A new developer joins your AWS account to help with your application. You simply create a new user and add them to the developer group, without having to think about which permissions they need.
  • A developer changes jobs and becomes a security engineer. Instead of editing the user’s permissions directly, you can instead remove them from the old group and add them to the new group that already has the correct level of access.

Keep in mind the following features of groups.

  • Groups can have many users.
  • Users can belong to many groups.
  • Groups cannot belong to groups.

Wrap Up

Now that you understand the ins and outs of IAM users and groups, you can solve the problems from the beginning of the unit.

  • Instead of the AWS root user, use an IAM user inside an IAM group with admin permissions (meaning they have permission to do everything in your account).
  • When you want to add additional users into your account to work on your cat photo application, you can create new users and add them into the group that corresponds with their job function.

In the next unit, you learn another method of authentication with IAM roles.

Resources