Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Difference between AWS IAM "Identity" and "Entity"

I am reading through the AWS documentation Understanding how IAM works and I'm confused about the definitions for identities and entities.

Identities
The IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

Entities
The IAM resource objects that AWS uses for authentication. These include IAM users, federated users, and assumed IAM roles.

What's the difference between the two? They are both IAM resource objects. They both include users and roles (although only identities have groups). You can only attach a policy to an identity but not an entity, but you ultimately authenticate an entity but not an identity. Is the naming difference just a question of grammar, or is there something fundamentally different between the two?

like image 870
Narin Luangrath Avatar asked Dec 30 '20 04:12

Narin Luangrath


People also ask

What is the difference between identity and entity?

In the context of DDD, identity is something inherent to an entity. Only entities have it; it's something that uniquely identifies them among all other entities. For example, we deem two people as being different regardless of any "attributes" they possess.

What is an AWS IAM entity?

IAM Entities. The IAM resource objects that AWS uses for authentication. These include IAM users and roles. Principals. A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS.

What are the two types of AWS Identity and Access Management IAM policies?

Identity-based policies There are two types of managed policies: AWS managed policies – Managed policies that are created and managed by AWS. Customer managed policies – Managed policies that you create and manage in your AWS account.


1 Answers

My understanding was helped by this diagram from the Wikipedia page on IAM.

Entities represent the actors on the system, and they may each have multiple identities.

Unfortunately this doesn't translate well to IAM resources, and the IAM User Guide itself is pretty loose when referring to entities, identities, and principals (it often seems to use them interchangeably). As you've already noticed, identities are special since they can have policies attached to them directly. While some entities can have policies attached to them (since they also happen to be identities), that's more of an implementation detail, rather than a feature.

like image 156
rowanu Avatar answered Sep 17 '22 14:09

rowanu