Certified Security - Specialty

Sign Up Free or Log In to participate!

Roles vs Groups

Can roles be assigned to ‘users’ (individuals) or is assigning user to groups and AWS resources to roles more appropriate?

1 Answers

Hello Manny,

that is a good question.

As you already pointed out, roles can be used by IAM users or (customer) applications/ (AWS) services [1][2].
However, I would like to point out, that you actually do not "assign" a role to an identity.
Instead, you give the user or service/application the permission to -assume- a role.

That is a key difference, since it affects the following two characteristics.

1. Credential lifetime

Users "can switch roles easily using the IAM console to use permissions that you don’t ordinarily want them to have, and then exit the role to surrender those permissions. This can help prevent accidental access to or modification of sensitive resources." [1]

That is: If you grant a user permissions via a role, the user is forced to assume the role first. Assuming a role means requesting temporary credentials. As AWS states in the docs:

"Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session." [3]

2. Role Chaining / Delegation / Federation [3]

As long as you are referring to IAM users in the same account, you can use both to grant permissions to the user’s identity: IAM policies attached to groups (where the user has membership in) and IAM policies attached to roles (+ user’s permission to assume the role).
However, if you want to grant access to an IAM user in another account, you must use a role. Adding a user from one account to a group in another account is not possible (as far as I know).


So, the answer to your question is: it depends.
If you want to do cross-account/federation stuff, you (often) must go for a role.

If you are assigning permissions to users in your account only, you have to decide whether the overhead which is created by using a role is worth it. Generally, it is considered best-practice to narrow down the credential lifetime for processes which are critical. For simple/non-critical task it might be beneficial to reduce the number of times a user must switch roles because it can be annoying. Every time the user assumes another role, he/she must drop all their current permissions which might result in a frequent switching back and forth between roles. That is also why AWS recommends to use resource-based policies over roles when possible [4].

I hope what I wrote makes sense. If I understood something wrong, please correct me. That would help me for my understanding, cause I am currently preparing for the exam as many of you do as well I guess. =)
If some differences between the approaches are missing, please feel free to add them in the comments.


[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_common-scenarios.html
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html
[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_compare-resource-policies.html

Manny Landron

Hi Martin. Thanks for the very insightful answer. I truly appreciate it. Regards.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?