The concepts detailed in this note are essential to understanding how AWS IAM works and should not be studied outside of the parent context.
User
A user is an entity that uniquely represents a person or a service in AWS.
Newly created users don’t have permission to perform any actions by default. Permissions must be granted explicitly by attaching policies to the user or adding the user to a group to which suitable access policies are already attached.
Group
Access policies can be attached to groups to simplify permission management for individual users. You can attach multiple policies to a single group. A user can be added to multiple groups.
Groups can not be nested.
Groups cannot be used as ‘Principal’ in resource policies. It is a way to attach policies to multiple users at one time.
Role
Roles are defined to specify permissions for an entity that may or may not have a permanent identity in AWS, for example, federated users, applications, services, third parties and users who have identity defined outside of AWS.
Permissions that are granted by assuming roles are short-lived. This is ideal if you want to avoid sharing long-term security credentials or embedding API keys in applications or storing them in your EC2 instances.
When you create a role, you need to specify two policies: Trust Policy and Permission Policy. Trust policy specifies who (which principal) can assume the role. The access policy determines what resources the principal has access to and what actions the principal can perform on the resources.
Role assuming lets you delegate temporary permissions to users, groups, applications and AWS services to perform various tasks with AWS services on your behalf.