# AWS Accounts, Users, Groups, Roles, Policies

Below is a graphical representation of the key components of Identity Access Mangement in AWS:

![](/files/-MPe6oFA-3xnA55DNOdU)

* Organization / root / management account can have multiple other accounts
* An account can have Users, Groups, Roles and Policies
* Users can be members of Groups and Groups can contain Users
* Role is a secure way to grant termporary permissions to trusted entities:
  * Another AWS account (yours or 3rd party's)
  * AWS service
  * Web Identity
  * SAML Federation
  * All of the above mentioned trusted entities can assume a Role given they have the permission `sts:AssumeRole`
* Policies signify what can/can't be done with resources (i.e EC2 `instance`, `image`, `network interface`, `security group`, etc.). Policies are defined as JSON objects
* Level of access that a User, Group or a Role (identities) has on certain resources, is defined by Policies that are attached to said identities


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/miscellaneous-reversing-forensics/cloud/aws-accounts-users-groups-roles-policies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.