Difference between AWS IAM "Identity" and "Entity"

Question

I am reading through the AWS documentation Understanding how IAM works and I'm confused about the definitions for identities and entities.

Identities
The IAM resource objects that are used to identify and group. You can attach a policy to an IAM identity. These include users, groups, and roles.

Entities
The IAM resource objects that AWS uses for authentication. These include IAM users, federated users, and assumed IAM roles.

What's the difference between the two? They are both IAM resource objects. They both include users and roles (although only identities have groups). You can only attach a policy to an identity but not an entity, but you ultimately authenticate an entity but not an identity. Is the naming difference just a question of grammar, or is there something fundamentally different between the two?

Answer 1

My understanding was helped by this diagram from the Wikipedia page on IAM.

Entities represent the actors on the system, and they may each have multiple identities.

Unfortunately this doesn't translate well to IAM resources, and the IAM User Guide itself is pretty loose when referring to entities, identities, and principals (it often seems to use them interchangeably). As you've already noticed, identities are special since they can have policies attached to them directly. While some entities can have policies attached to them (since they also happen to be identities), that's more of an implementation detail, rather than a feature.