Authorization is very different from authentication, and sometimes, people confuse the definitions of these two terms. Authorization dictates what actions the authenticated identity can perform. These actions are usually in the form of permissions sets, which either explicitly allow or explicitly deny access to resources. Within AWS, these permissions are largely defined within the IAM service, and I will get to how IAM manages the permissions for identities later in this chapter.

So, bear in mind that it's not possible to gain access to a resource without first passing an authentication barrier, which identifies and verifies who you are. Only when it has been authenticated can an identity be authorized to perform actions, using the list of permissions that have been assigned.