3.4.1.1. IAM Entities for Human & Machine Access (Users, Groups, Roles, Identity Providers, Policies)

3.4.1.1. IAM Entities for Human & Machine Access (Users, Groups, Roles, Identity Providers, Policies)

Loading diagram...

IAM policy evaluation follows this flowchart for every API call. Understanding this order is the most important IAM concept for the exam.

IAM entities:

• Users: Individual identities with long-term credentials. Minimize — prefer roles.
• Groups: Collections of users sharing policies. Can't nest groups.
• Roles: Temporary credentials for services, apps, or federated users. The most important entity for DevOps.
• Identity Providers: Federation via SAML 2.0 (Active Directory) or OIDC (Cognito, Okta).

Policy types and evaluation order:

1. SCPs (Organizations): Maximum permissions ceiling for the account
2. Resource-based policies: Attached to resources (S3 bucket, KMS key)
3. Identity-based policies: Attached to users, groups, or roles
4. Permissions boundaries: Maximum ceiling for a specific entity
5. Session policies: Limit permissions when assuming a role

Exam Trap: An explicit Deny in any policy always wins. If an SCP allows s3:* but an identity policy denies s3:DeleteBucket, the delete is denied. The exception: resource-based policies can grant cross-account access even without an identity policy Allow (but SCPs still apply).