Please enable JavaScript.

Coggle requires JavaScript to display documents.

AWS IAM - Coggle Diagram

- - - - IAM user
      - IAM role
      - IAM group
      - Federated user (SSO, Cognito, etc.)
- - - - IAM users
      - IAM roles
    - - Makes sense because a group and federated user does not have AWS credentials
- - - - Examples:
        
        A human user logging in via the console → principal = that user.
        
        An EC2 instance with an attached role making an S3 request → principal = the role.
        
        A Lambda function assuming another role → principal = the Lambda’s execution role.
- - - - Identity-based policies: attached to users, groups, or roles.
        
        Managed Policies: Policies that you can attach to multiple users, groups, and roles
        
        AWS managed policies: predefined by AWS and ready to select
        
        Customer managed policies: the ones you create
        
        Inline policies: Policies that you add directly to a SINGLE user, group, or role. They maintain a strict one-to-one relationship between the policy and the identity-
        
        Inline policies are embedded directly inside a single user, group, or role and cannot be reused
      - Resource-based policies: attached directly to resources (e.g., S3 bucket policy, Lambda permission).
- - - - A user or service can wear the hat (assume the role).
      - While wearing it, they inherit its permissions.
      - When they take it off (session ends), the permissions go away.