Difference between AWS Authentication, Authorization, and Access control

Sai Manohar Boidapu
2 min readDec 30, 2020

Difference between Authentication, Authorization, and Access Control


Authentication is a two-part process involving identification and its verification

Authentication = Identification + Verification


Identification can happen by providing some unique identity to the user. This must be uniques in the system. e.g. user name, SSN id, credit card number, etc. In the case of AWS, identity is your username.


Verification of the identity can happen by providing some secret information. e.g. password, OTP, pin number, CVV, etc. In the case of AWS, the verification is your password


Authorization determines what an identity can access and to what level once it has authenticated itself with the system. In the case of AWS, IAM decides what the identity can have access to. e.g. User 1 can have full access to resources A, B, C but the User 2 can only read access to resource A

Access Control:

Access control is the mechanism of accessing a secured resource. It is very closely related to both authentication and authorization as both are used to gain access to a resource. e.g. User name/Password, Multi-Factor Authentication, etc.

In the case of AWS, the following are the access controls:

IAM Roles: Roles are used to granting permissions to specific functions on AWS resources

Federation: Federation grants access to users that do not have identities within AWS itself, and are supplied temporary credentials to gain access. For example, a user account within a corporate Active directory can be federated to access AWS resources.

Network Access Control Lists (NACLs): NACLs allow to restrict the access based on specific network parameters such as ip addresses/ranges, protocols and ports. This is stateless which means any change made to inbound does not affect the outbound. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.

Security groups: These are similar to NACL but they work at the instance level and are stateful which mean any change made to inbound does affect the outbound. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.