What Is IAM role in Networking?
On This Page
What do you want to do?
Quick Definition
An IAM role is like a special identity that you can give to a user, application, or service to allow it specific access to cloud resources. Instead of sharing long-term credentials like passwords or keys, the role is assumed when needed. The permissions are temporary and automatically expire, making it a secure way to grant access. It is a core concept in AWS, Azure, and Google Cloud security.
Common Commands & Configuration
aws iam create-role --role-name S3ReadOnlyRole --assume-role-policy-document file://trust-policy.jsonCreates an IAM role named S3ReadOnlyRole with a trust policy defined in a JSON file. The trust policy specifies which entities (e.g., an AWS service or another account) can assume this role. Use this when setting up a new role for cross-account access or service usage.
Exams test that the trust policy must include 'sts:AssumeRole' action and the correct principal, such as 'ec2.amazonaws.com' for EC2. Missing the correct principal causes role assumption failures.
aws iam attach-role-policy --role-name S3ReadOnlyRole --policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccessAttaches the AWS managed policy AmazonS3ReadOnlyAccess to the role S3ReadOnlyRole, granting read-only access to S3. Use this to assign permissions to a role without writing a custom policy.
Exam questions often ask about attaching policies to roles versus users. Remember that roles use 'attach-role-policy' while users use 'attach-user-policy'. The policy ARN must be correct.
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/CrossAccountRole --role-session-name TestSessionAssumes a role in another AWS account (123456789012) and returns temporary credentials. Use this to perform actions across accounts, such as accessing resources in a different AWS account.
This command tests understanding of cross-account access and session names. The 'role-session-name' is required for auditing in CloudTrail. Exams may ask about the maximum session duration (default 1 hour, up to 12 hours).
aws iam update-assume-role-policy --role-name MyRole --policy-document file://new-trust-policy.jsonUpdates the trust policy of an existing IAM role. Use this to modify which entities can assume the role, such as adding a new service principal or tightening conditions like MFA.
Exams test that updating the trust policy does not affect existing sessions; it only applies to new role assumption attempts. Also, the policy document must be valid JSON.
aws iam put-role-permissions-boundary --role-name MyRole --permissions-boundary arn:aws:iam::aws:policy/AWSLambdaExecuteSets a permission boundary on an existing IAM role, limiting the maximum permissions to those defined in the AWSLambdaExecute policy. Use this to enforce least privilege restrictions without modifying the role's own policies.
Permission boundaries are a common trick in exam questions. They operate as an intersection with the role's permissions policy, not a union. A role can have permissions granted by its policy but denied by the boundary.
aws iam create-service-linked-role --aws-service-name ecs.amazonaws.comCreates a service-linked role for Amazon ECS. AWS automatically creates these roles when you first enable a service, but you can manually create them if they were accidentally deleted. Use this to restore service functionality.
Service-linked roles are role-specific and can only be assumed by the designated service. Exams test that they cannot be deleted if the service is still in use, and that they are predefined by AWS.
aws iam list-roles --query "Roles[?RoleName.contains(@, 'Lambda')]" --output tableLists all IAM roles that contain 'Lambda' in their name. Use this to quickly find roles related to a specific service for auditing or troubleshooting.
The --query parameter uses JMESPath, a common exam topic. This command helps in identifying roles quickly without pagination issues.
IAM role appears directly in 645exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CLF-C02. Practise them →
Must Know for Exams
IAM roles appear heavily in multiple certification exams because they are fundamental to cloud security. In AWS Cloud Practitioner, you need to understand that roles provide temporary credentials and are used for EC2 instances, Lambda functions, and cross-account access. Questions may ask which IAM entity should be used for an application running on EC2 to access an S3 bucket. The correct answer is an IAM role, not an IAM user or access keys.
For AWS Solutions Architect Associate and AWS Developer Associate, you must understand trust policies, permissions policies, and the AssumeRole API. Exam questions often present a scenario where a developer needs to grant a third-party access to their AWS account. You need to know how to use a role with an external ID to prevent the confused deputy problem. You also need to know the difference between role-based access and resource-based policies.
In the CompTIA Security+ and CySA+ exams, roles are part of identity and access management concepts. Questions may compare RBAC (role-based access control) with other access control models. You need to understand how cloud roles differ from on-premises roles. For the ISC2 CISSP, the concept of role-based access control is a major domain, and IAM roles are a practical implementation in cloud environments.
For Microsoft exams like AZ-104 and SC-900, Azure RBAC roles and managed identities are directly tested. You need to understand built-in roles like Contributor and Owner, and how custom roles are created. Questions may ask how to grant a virtual machine access to a storage account without using storage keys-the answer is a managed identity, which is essentially an Azure IAM role.
For Google Cloud exams like ACE, roles are tested in the context of IAM policies. You need to know primitive roles (Owner, Editor, Viewer) and predefined roles for specific services. Questions may ask about the difference between roles and service accounts. The Google Cloud Digital Leader exam covers roles at a conceptual level, focusing on how they support least privilege.
In all these exams, IAM roles are tested through scenario-based questions where you must choose the most secure and appropriate access method. The trap is often to select a user with long-term credentials when a temporary role is more secure. Always look for clues like temporary access, cross-account, or application running on a compute service.
Simple Meaning
Think of an IAM role as a temporary badge that grants someone special access for a specific task. In everyday life, a delivery driver might get a one-day building pass that lets them enter only the lobby and a specific elevator. They don’t get a permanent keycard that works everywhere. The pass expires at the end of the day. In cloud computing, an IAM role works the same way. It is a predefined set of permissions that an entity-like an application running on a server, a developer, or a monitoring service-can request and temporarily receive.
When an entity assumes a role, it receives temporary security credentials from the cloud provider. These credentials are valid for a limited time, usually between 15 minutes and 12 hours, depending on the configuration. The entity then uses those credentials to make API calls or access resources. Once the credentials expire, the entity can no longer perform those actions unless it assumes the role again.
This is different from using a user account or a service account with long-term access keys. Those static credentials can be stolen or misused over long periods. With a role, you minimize the risk because the credentials are short-lived and automatically rotated. You also do not need to manage or store sensitive keys in code or configuration files-the cloud provider handles the temporary credential generation.
IAM roles are used for many purposes. You might assign a role to an EC2 instance in AWS so that an application on that instance can read data from S3. Or you might create a role for a developer to access a specific database during an incident. In Microsoft Azure, a similar concept is called a managed identity or an Azure role assignment. In Google Cloud, roles are defined using IAM and can be assigned to service accounts.
The key idea is that roles separate the identity from the permissions. The same person or service can assume different roles in different contexts. This supports the principle of least privilege-giving only the minimum permissions needed for a task. It also makes audit logs clearer because each role assumption is recorded.
Full Technical Definition
An IAM role is an identity with a set of permissions that can be assumed by a trusted entity, such as a user, a service, or another AWS account. Unlike an IAM user, a role does not have long-term credentials like a password or access key. Instead, when a role is assumed, the AWS Security Token Service (STS) generates temporary security credentials consisting of an access key ID, a secret access key, and a session token. These credentials are valid for a configurable duration, typically between 15 minutes and 12 hours, after which they expire and cannot be reused.
The role itself is defined by two key documents: a trust policy and a permissions policy. The trust policy specifies which entities are allowed to assume the role. It can include AWS accounts, IAM users, services like EC2 or Lambda, or even federated identities from an external identity provider such as Active Directory or a SAML-based provider. The permissions policy (or policies) defines what actions the role is allowed to perform on which resources. These policies are written in JSON format using the AWS Identity and Access Management (IAM) policy language.
When an entity attempts to assume a role, it calls the STS AssumeRole API. The request must include the Amazon Resource Name (ARN) of the role and, depending on the trust policy, may also require a session name, duration, or external ID. STS validates the request against the trust policy. If the entity is authorized, STS returns temporary credentials. The entity then uses these credentials to make API calls to AWS services. The session token must be included in every request.
From a protocol perspective, temporary credentials are fully compatible with standard AWS API calls. All AWS SDKs and the AWS CLI support assuming roles by automatically refreshing the temporary credentials when they are about to expire. This is handled transparently in most modern applications. The AWS IAM service also enforces that temporary credentials are not stored or reused across sessions without proper assumption.
In a multi-account scenario, roles are essential for cross-account access. For example, a central security team in one AWS account can assume a role in a production account to review logs. The trust policy in the production account explicitly lists the security team’s account ID. For federated access, roles integrate with SAML 2.0 or OpenID Connect (OIDC) providers. Corporate users can authenticate via their existing identity provider and then assume a role to access AWS resources.
In Microsoft Azure, the equivalent is an Azure RBAC role or a managed identity. Azure managed identities automatically rotate credentials and integrate with Azure AD authentication. In Google Cloud, roles are assigned to service accounts or user accounts using IAM policies. The mechanics differ, but the core concept of a temporary, policy-bound identity is consistent across all major cloud providers. Understanding IAM roles is foundational for designing secure, scalable cloud architectures that adhere to the principle of least privilege.
Real-Life Example
Imagine a large office building with many departments. Each employee has a permanent ID badge that lets them enter the main entrance and their own floor. But sometimes, a maintenance worker from an outside company needs to enter the server room to fix the air conditioning. You do not want to give that worker a permanent badge that works everywhere in the building. Instead, the security desk issues a temporary visitor badge that only opens the server room door and the elevator to that floor. The badge expires at 5 PM that day.
In cloud terms, the maintenance worker is the application or service that needs temporary access. The server room is the sensitive resource, such as a database or storage bucket. The temporary visitor badge is the IAM role. The security desk is the AWS STS service that issues the credentials. The rule saying the badge only works until 5 PM is the session duration. The restriction that the badge only opens the server room door is the permissions policy attached to the role.
Now, suppose a different person-a fire inspector-needs to visit. The same system can issue a different badge that only unlocks the fire panel and the electrical room. Similarly, you can have multiple roles for different tasks. The worker does not need to carry multiple badges; they just get the appropriate badge when needed. In the cloud, a single EC2 instance can assume different roles for different operations, but only one role at a time.
The security desk also verifies the worker’s identity before issuing the badge. In the cloud, the trust policy checks the identity of the requester. For example, an EC2 instance must have an instance profile attached that grants it permission to assume the role. The worker cannot just walk in and ask for any badge-they must be pre-authorized. This prevents unauthorized entities from gaining access.
At the end of the day, the badge stops working. Even if someone finds a lost badge on the floor, it is useless after expiration. Similarly, temporary credentials that are exposed after the session ends cannot be used because STS has invalidated the session token. This makes IAM roles much more secure than static keys stored in a config file.
Why This Term Matters
IAM roles are a cornerstone of cloud security because they enable the principle of least privilege without the operational burden of managing long-term credentials. In traditional on-premises environments, applications often used hardcoded passwords or service accounts that never changed. If a password was leaked, an attacker could access systems indefinitely. With roles, credentials are temporary and automatically rotated by the cloud provider, drastically reducing the window of exposure.
From a practical IT perspective, using roles simplifies credential management. You no longer need to store, rotate, or distribute access keys for every application or service. The cloud provider handles the token issuance and expiration. This reduces the attack surface and eliminates the risk of keys being committed to code repositories or left in logs. In audit logs, each role assumption is recorded with a unique session ID, making it easier to trace who did what and when.
Roles also enable fine-grained access control. You can create a role that only allows reading a specific S3 bucket, and another that allows writing to a different bucket. An application can assume the reader role during normal operations and the writer role only during a batch update. This granularity helps meet compliance requirements such as SOC 2, PCI DSS, or HIPAA, which often require limiting access to sensitive data.
In modern DevOps workflows, roles are essential for CI/CD pipelines. Build servers, like Jenkins or GitHub Actions, can assume a role to deploy code to a staging environment without storing long-lived credentials. This makes deployments more secure and auditable. Similarly, roles are used for cross-account access, allowing a central security team to manage resources across multiple accounts without needing individual user accounts in each account.
How It Appears in Exam Questions
IAM role questions typically appear in three formats: scenario-based, configuration-based, and troubleshooting. In scenario-based questions, you are given a situation where an application or service needs access to a resource. For example: A web application running on EC2 instances needs to write logs to an S3 bucket. Which IAM entity should you use? The correct answer is an IAM role attached to the EC2 instance profile. Distractors may include an IAM user with access keys, a bucket policy, or a security group.
Configuration-based questions ask about the components of a role. You might see: Which of the following documents defines who can assume an IAM role? The answer is the trust policy. Or: What is the purpose of the external ID parameter when assuming a role? It is used to prevent the confused deputy problem. You may also be asked to identify the correct JSON syntax for a trust policy that allows an EC2 service to assume a role.
Troubleshooting questions present a scenario where access is denied. For example: A Lambda function is unable to write to a DynamoDB table even though the function has an IAM role with the necessary permissions. What could be wrong? Possible issues include: the role is not attached to the function, the trust policy does not allow Lambda to assume the role, or the permissions policy has a typo in the resource ARN. You need to check the trust policy first because Lambda must be allowed to assume the role before the permissions policy applies.
Another common pattern: An administrator configures a role for cross-account access, but users from the other account cannot access resources. The question might ask: What is the most likely cause? The answer is the trust policy does not include the external account ID, or the role’s permissions policy does not grant the necessary actions to the resources. You may also see questions about session duration: What is the maximum session duration for an IAM role? In AWS, it is 12 hours (configurable), but the default is 1 hour.
In Azure exams, you might see: A virtual machine needs to access an Azure Key Vault to retrieve secrets. What is the most secure method? The answer is a managed identity, which creates an Azure AD service principal and assigns a role. The question might then ask: Which built-in role provides read access to secrets? The answer is Key Vault Secrets User.
Practise IAM role Questions
Test your understanding with exam-style practice questions.
Example Scenario
A company called CloudBooks runs a web application on multiple EC2 instances behind an Application Load Balancer. The application needs to store customer-uploaded profile pictures in an S3 bucket named cloudbooks-profiles. The development team has been using an IAM user called s3-uploader with long-term access keys hardcoded in the application configuration. Recently, one of the keys was accidentally committed to a public GitHub repository. The security team immediately revoked the keys and mandated a more secure approach.
You are tasked with implementing a solution that eliminates the need for long-term access keys and follows the principle of least privilege. You decide to create an IAM role called EC2-S3-Profile-Writer. You attach a permissions policy that allows only the s3:PutObject action on the cloudbooks-profiles bucket. Then you create a trust policy that allows the EC2 service to assume the role. Finally, you launch new EC2 instances with an instance profile that includes this role.
Now, when the application runs on the EC2 instance, it can call the AWS STS AssumeRole API internally (via the SDK) and receive temporary credentials. These credentials last for one hour and are automatically refreshed by the SDK. If a developer accidentally exposes these credentials, they are only useful for a limited time. The role only allows uploading objects, not listing or deleting them. This reduces the blast radius if a compromise occurs.
The security team is satisfied because no long-term secrets are stored in code or configuration. The operations team is happy because they no longer need to rotate keys manually. The auditors appreciate that each PutObject call is associated with a unique session ARN, making it easy to trace actions back to a specific EC2 instance and time. This scenario is a classic example of how an IAM role improves security, manageability, and compliance.
Common Mistakes
Using an IAM user with access keys instead of a role for an EC2 instance application.
Access keys are long-term credentials that never expire. If they are compromised, an attacker can use them indefinitely. They also require manual rotation and secure storage, which adds operational overhead and risk.
Use an IAM role attached to the EC2 instance profile. The SDK will automatically retrieve temporary credentials from the instance metadata service.
Confusing the trust policy with the permissions policy.
The trust policy determines who can assume the role, while the permissions policy determines what actions the role can take. If the trust policy is wrong, the entity cannot assume the role at all, even if the permissions policy is correct.
Always write the trust policy first to allow the intended entity (e.g., EC2, Lambda, another account) to assume the role. Then attach the permissions policy for the desired actions.
Assuming that a role can be assigned to an IAM user like a password.
Roles are not assigned statically to users. Users must explicitly call AssumeRole to receive temporary credentials. A role is assumed, not attached. Some services like EC2 automate this via instance profiles, but it is still a temporary assumption.
Write a trust policy that includes the user or group, then the user calls sts:AssumeRole in the AWS CLI or SDK. The user can then use the temporary credentials.
Forgetting to include an external ID when allowing a third party to assume a role.
Without an external ID, the role can be used by any entity that is allowed by the trust policy. This creates a confused deputy problem where a third party could trick the role into accessing resources they should not have.
Add an external ID condition in the trust policy. The external ID is a unique value that only the trusted third party knows. It acts as an additional authentication factor.
Setting the session duration longer than the maximum allowed.
The maximum session duration for an IAM role is 12 hours. If you set it higher, the API call will fail. Also, long sessions increase the risk window if temporary credentials are leaked.
Set the duration to the minimum necessary for the task. For most use cases, 1 hour is sufficient. Use role chaining for long-running processes.
Thinking that a role can be used by multiple entities simultaneously with the same permissions.
Each entity that assumes a role gets its own unique set of temporary credentials. Multiple entities can assume the same role at the same time, but each session is independent and isolated.
It is actually okay for multiple entities to assume the same role simultaneously. The role is shared, but sessions are separate. Just be aware that audit logs will show each session distinctly.
Using a role without a proper trust policy for an AWS service that does not support it.
Not all AWS services can assume roles. For example, an RDS instance does not have an instance profile. You must check the service documentation to see if it supports assuming roles.
If a service does not support roles, consider using a different service architecture, such as a Lambda function as a proxy, or use a VPC endpoint with a resource-based policy.
Exam Trap — Don't Get Fooled
{"trap":"The exam question asks: You need to grant an EC2 instance running a web application access to an S3 bucket. The most secure approach is: A) Create an IAM user with access keys and store them in a config file on the instance. B) Create an IAM role and attach it to the EC2 instance profile.
C) Use a bucket policy that allows access from the EC2 instance's public IP. D) Create an IAM group and assign the instance to the group.","why_learners_choose_it":"Learners often choose option A because they are familiar with access keys.
They may not realize that access keys are static and insecure. They might also overlook that the instance profile provides automatic credential management. Option C seems clever but bucket policies cannot filter by EC2 instance IP alone; they can filter by VPC or source IP, but the instance’s public IP is ephemeral.
Option D is invalid because instances cannot be members of IAM groups.","how_to_avoid_it":"Always think: Does this method use static credentials? If yes, it is less secure. Roles with instance profiles are the gold standard for granting EC2 instances access to other AWS services.
Remember that bucket policies can work in some cases, but they require the instance to be in a VPC with a specific endpoint. The role method is simpler and more secure for most scenarios. For the exam, memorize that the most secure way to grant EC2 access to S3 is an IAM role with an instance profile."
Commonly Confused With
An IAM user is a permanent identity with long-term credentials (password or access keys). A role is a temporary identity that is assumed. Users typically represent individual people, while roles represent permissions that can be taken on by services, applications, or federated identities. Roles do not have login credentials and cannot be used for interactive login unless they are used with AWS IAM Identity Center.
You create a user named 'john' for a developer to log in to the AWS console. You create a role named 'S3ReadOnly' that a Lambda function assumes to read from an S3 bucket.
An IAM group is a collection of IAM users. You attach policies to a group, and all users in the group inherit those policies. A role is not a group; it is a standalone identity that is assumed. Groups are only for organizing users, while roles are for granting temporary access to any trusted entity.
You put all developers in a group called 'Developers' with a policy that allows reading from a code repository. You create a role called 'DeployRole' that a CI/CD pipeline assumes to deploy code to production.
A service-linked role is a special type of IAM role that is pre-defined by an AWS service. It includes all the permissions that the service needs to call other AWS services on your behalf. Unlike a regular role, a service-linked role cannot be edited or deleted independently; you must first delete the service that created it. Regular roles are manually created and fully customizable.
When you enable Amazon GuardDuty, it creates a service-linked role named AWSServiceRoleForAmazonGuardDuty that allows it to access your CloudTrail and VPC Flow Logs. You cannot modify this role.
An SCP is a policy that specifies the maximum permissions for all accounts in an AWS Organization. It does not grant permissions; it acts as a permission guardrail. An IAM role grants specific permissions to entities that assume it. SCPs can restrict what any role (including a role in a child account) can do, but roles still need a permissions policy to actually allow actions.
You create an SCP that denies deleting S3 buckets in all accounts under an Organization. Even if a role has an 's3:DeleteBucket' permission, the SCP will block the action. The role must still be assumed, and its permissions are constrained by the SCP.
A resource-based policy is attached directly to a resource, such as an S3 bucket policy or a Lambda function policy. It grants access to a principal (user, role, account) by specifying the principal in the policy. A role is an identity that can be assumed, and it has a trust policy that defines who can assume it. Resource-based policies can grant access to a role in another account without needing a role exchange.
You write an S3 bucket policy that allows the role 'arn:aws:iam::123456789012:role/CrossAccountRole' to read objects. The role does not need a trust policy for the bucket; the bucket policy grants access directly to the role.
PassRole is a separate IAM permission that controls which entities can pass a role to an AWS service when creating a resource. For example, when you launch an EC2 instance, you must have the iam:PassRole permission for the role you want to attach. It is not the role itself, but a permission that governs role delegation.
A user needs the iam:PassRole permission for 'EC2-S3-Role' to launch an EC2 instance with that role attached. Without this permission, the launch will fail even if the user has other permissions.
Step-by-Step Breakdown
Define the use case
Identify the entity that needs access and the resource it needs. For example, an EC2 instance needs to write logs to an S3 bucket. This determines the trust policy (who can assume) and the permissions policy (what actions are allowed).
Create the IAM role
In the AWS Management Console, navigate to IAM, then Roles, and click Create role. Select the trusted entity type. For an AWS service, choose ‘AWS service’ and select the service (e.g., EC2). This generates a basic trust policy automatically.
Attach permissions policies
Select the policies that define what the role can do. You can use AWS managed policies (e.g., AmazonS3FullAccess) or create a custom policy with specific actions and resources. For least privilege, always use a custom policy that only allows the necessary actions.
Review and name the role
Give the role a descriptive name, such as EC2-S3-LogWriter. Optionally add tags. Review the trust policy and permissions policy. The trust policy should list the service principal (e.g., ec2.amazonaws.com) for AWS services.
Attach the role to the resource
For EC2, you attach the role to an instance profile. When launching an instance, you specify the IAM role under the ‘Advanced details’ section. For existing instances, you can attach the role by selecting the instance, choosing Actions > Security > Modify IAM role.
Configure the application to use the role
Applications using the AWS SDK automatically retrieve temporary credentials from the instance metadata service (IMDS). No code changes are needed; the SDK handles the AssumeRole call internally. For other services like Lambda, the role is attached via the function configuration.
Test the access
After attaching the role, test by running commands on the instance, such as aws s3 cp test.txt s3://my-bucket/. If it fails, check the trust policy (does ec2.amazonaws.com appear?), the permissions policy (does it allow s3:PutObject?), and the instance’s network connectivity.
Monitor and audit
Use AWS CloudTrail to record all AssumeRole calls and any actions taken with the temporary credentials. Audit logs show the session ARN, role ARN, and the IP address. This helps in troubleshooting and compliance reporting.
Rotate or update policies as needed
The role’s permissions policies can be updated at any time without interrupting existing sessions. New sessions will use the updated policy. To revoke access immediately, you can delete the role or update the trust policy to deny future assumptions.
Practical Mini-Lesson
To use IAM roles effectively in practice, you need to understand how they integrate with AWS services and how to avoid common pitfalls. A professional cloud architect must design roles with the principle of least privilege, using custom policies that specify exact actions and resource ARNs. Managed policies like AdministratorAccess are convenient for testing but should never be used in production.
When creating a role for an AWS service, the trust policy is usually generated automatically. However, for cross-account access or federated users, you must write the trust policy manually. The trust policy uses the Condition element to add constraints. Common conditions include requiring a specific external ID, limiting by source IP, or requiring MFA. Always use conditions to harden the trust policy.
A common scenario is granting an EC2 instance access to a DynamoDB table. You would create a role with a custom policy that allows only Query and PutItem on the specific table ARN. The trust policy allows ec2.amazonaws.com. Then you attach the role to the instance via an instance profile. The application code simply uses the default credential provider chain, which picks up the temporary credentials from the instance metadata service. No access keys are ever stored on the instance.
What can go wrong? The most common issue is that the trust policy is missing or incorrect. For example, if you use an Amazon Resource Name (ARN) for a different region or account, the service will not assume the role. Another issue is that the permissions policy might be too broad, allowing actions that were not intended. This can lead to security breaches. Always test the role by assuming it from the intended entity and performing the allowed actions.
For multi-account setups, roles are essential. You define a role in the target account with a trust policy that includes the source account’s ID. Then, users or services in the source account can assume that role. This avoids creating IAM users in every account. However, you must manage the trust policies carefully to ensure only authorized entities can assume the role.
Professionals also need to understand the difference between role-based access and resource-based policies. For example, an S3 bucket policy can grant access to a role in another account without the role needing a trust policy. This is useful when you want to allow a specific user from another account to access a bucket without creating a role exchange. The bucket policy specifies the principal as the role’s ARN.
Finally, always consider session duration. If an application needs to make long-running API calls, set the duration to an appropriate length. But be aware that credentials cannot be revoked once issued; they will remain valid until expiration. If you need to revoke access immediately, you can change the trust policy to deny future assumptions, or delete the role. Existing sessions will continue until they expire, so plan accordingly.
How IAM Role Trust Policies Define Permission Boundaries
An IAM role is fundamentally different from an IAM user because it does not have permanent credentials. Instead, it relies on a trust policy to define which entities are allowed to assume the role. The trust policy is a JSON document attached to the role that specifies the principal (such as an AWS service, another AWS account, or an IAM user) that can assume the role, along with optional conditions like MFA or source IP restrictions.
This is the core mechanism that enables cross-account access, service-to-service communication, and federated identity usage. For example, an EC2 instance can assume a role by having the trust policy grant the ec2.amazonaws.
com service principal permission to assume the role. The trust policy is evaluated at the time of the AssumeRole API call, and if the principal matches and conditions are satisfied, temporary security credentials are generated via AWS Security Token Service (STS). These credentials have a limited lifetime, typically between 15 minutes and 12 hours.
The trust policy is separate from the permissions policy, which defines what actions the role can perform once assumed. This separation is critical for security because it allows administrators to control both who can use the role and what resources they can access. In AWS certification exams, you will often see questions where a role is assumed by a Lambda function or an EC2 instance, and the trust policy must correctly specify the service principal.
Common mistakes include forgetting to include sts:AssumeRole in the trust policy or incorrectly specifying the principal. Understanding the trust policy is also essential for cross-account access scenarios, where you must specify the AWS account ID of the trusting account. For instance, if Account A wants to allow users from Account B to assume a role, the trust policy in Account A must list Account B's root user or an IAM entity as the principal.
This is a frequent topic in AWS Certified SysOps Administrator and AWS Solutions Architect exams. Trust policies can include conditions like aws:SourceArn to prevent the confused deputy problem, where a service in one account assumes a role intended for another. The trust policy is the first line of defense, and any misconfiguration can lead to security vulnerabilities or failed access.
Therefore, when troubleshooting IAM role issues, always start by examining the trust policy to ensure the correct principal and conditions are present. The trust policy is what makes IAM roles dynamic and secure, enabling temporary access without the need for long-term credentials.
How IAM Role Permission Boundaries Limit Effective Permissions
Permission boundaries are an advanced IAM feature that allow you to restrict the maximum permissions that an IAM role can have. They are implemented as a managed policy that defines the upper boundary of what the role can do, regardless of the permissions policies attached to the role. This is particularly useful in environments where you delegate role creation to developers or teams but want to ensure they cannot escalate privileges beyond a certain scope.
For example, an administrator can create a permission boundary that allows only EC2 and S3 actions, and then attach that boundary to a role. Even if the role has a permissions policy that allows IAM:* actions, the effective permissions are limited to the intersection of the permissions policy and the permission boundary. In mathematical terms, effective permissions = (permissions policy) ∩ (permission boundary).
This concept is crucial for security best practices and appears in AWS Certified Security Specialty and AWS Solutions Architect exams. When a role is used, AWS evaluates both the permission boundary and the permissions policy, and only actions allowed by both are granted. Permission boundaries do not grant permissions by themselves; they only restrict.
They can be attached to IAM roles (but not to IAM users directly, though they can be attached to user roles). A common exam scenario involves a security administrator setting up a permission boundary that restricts roles to only read-only actions in Amazon S3, and then a developer creates a role with full S3 access. The effective permission is read-only, preventing accidental data deletion.
Another important nuance is that permission boundaries can be used to prevent privilege escalation. For instance, if a role has a policy that allows iam:CreateRole, but the permission boundary does not allow iam:CreateRole, the role cannot create new roles. This is a key concept in the principle of least privilege.
In troubleshooting, if a role is unable to perform an action even though its permissions policy seems to allow it, check if a permission boundary is attached. The AWS Management Console and CLI will show the effective permissions, but it's easy to overlook the boundary. For exam questions, look for scenarios where a role has a policy that allows an action but the boundary denies it, or where the boundary is more restrictive than anticipated.
Permission boundaries are often used in conjunction with service control policies (SCPs) in AWS Organizations to provide defense in depth. SCPs operate at the account level, while permission boundaries operate at the role level. Understanding this layered security is vital for AWS certification exams.
Permission boundaries are a powerful tool for limiting IAM role permissions without changing the underlying policies, providing an additional security layer that is frequently tested in advanced AWS certifications.
How STS Temporary Credentials Are Generated and Used for IAM Roles
AWS Security Token Service (STS) is the service that issues temporary security credentials for IAM roles. When a principal (such as an AWS service, a user from another account, or a federated identity) calls the AssumeRole API action, STS validates the trust policy of the role, generates a temporary set of credentials, and returns an access key ID, a secret access key, and a session token. These credentials are valid for a duration specified in the role's settings or the API call, ranging from 15 minutes up to 12 hours.
The session token must be included in every request made with these credentials. This process is automatic for AWS services like EC2, Lambda, or ECS when you attach an IAM role to them. For example, when you launch an EC2 instance with an instance profile associated with an IAM role, the instance retrieves temporary credentials from the instance metadata service (IMDS), which internally uses STS to assume the role.
The credentials are rotated automatically before they expire, which eliminates the need to manage long-term keys. This is a fundamental security advantage of roles over users. In AWS certification exams, you will encounter questions about the maximum session duration, which is 12 hours for roles assumed by AWS services, and 1 hour for roles assumed via the AWS Management Console.
Another common topic is the use of role chaining, where one role assumes another role, which can lead to complex scenarios with limited session durations. For instance, if a user assumes Role A, and Role A then assumes Role B, the session duration is limited by the more restrictive of the two roles. Understanding the token expiration and renewal mechanism is critical for application design, especially for long-running processes.
If a Lambda function runs for more than the credential duration (which is typically 6 hours for Lambda execution roles), the function must refresh credentials or use the AWS SDK's automatic credential refresh. In troubleshooting, if you get 'Access Denied' errors from an EC2 instance, check if the instance metadata service is running and the credentials are not expired. You can manually retrieve credentials by querying http://169.
254.169.254/latest/meta-data/iam/security-credentials/role-name. Also, be aware of the difference between IMDSv1 and IMDSv2; IMDSv2 requires a session token for added security. STS also supports AssumeRoleWithWebIdentity for identity federation with providers like Google or Facebook, and AssumeRoleWithSAML for enterprise federation.
These endpoints are tested in security-focused exams. STS is the engine behind IAM roles, enabling secure, temporary, and automatically rotating credentials that reduce the risk of credential leakage, and understanding its mechanics is essential for both development and operations roles.
How Service-Linked Roles Simplify AWS Service Integration
Service-linked roles are a special type of IAM role that are predefined by AWS services to perform actions on your behalf. These roles come with a trust policy that allows only the specific service to assume the role, and the permissions policy is created and managed by AWS to include all the necessary permissions for that service to function optimally. For example, Amazon RDS uses a service-linked role named AWSServiceRoleForRDS to access EC2, SNS, and CloudWatch on your behalf.
Similarly, AWS Lambda uses AWSServiceRoleForLambda to manage ENIs and CloudWatch Logs. The key advantage is that you do not need to manually define the permissions-AWS updates them as the service evolves. However, you must have the iam:CreateServiceLinkedRole permission to create these roles, which is often automatically done when you enable the service in the AWS Management Console.
Service-linked roles cannot be deleted if the service is still in use; you must first delete the resources that depend on the role. This is a common exam topic in AWS Certified Developer and SysOps exams. For instance, if you try to delete a service-linked role for Amazon RDS while there are active DB instances, the deletion will fail.
Another important aspect is that you can view the permissions of a service-linked role via the IAM console, but you cannot modify them directly-you must use AWS service-specific APIs. This ensures that the service has the minimum necessary permissions without giving users the ability to inadvertently lock out the service. In troubleshooting, if an AWS service that requires a service-linked role fails to launch, check if the role exists and if the trust policy is correct.
For example, if Amazon Redshift cannot create a cluster, it may be because the AWSServiceRoleForRedshift role is missing or has been deleted. You can create a new service-linked role using the AWS CLI command 'aws iam create-service-linked-role --aws-service-name redshift.amazonaws.
com'. This is a straightforward fix that is tested in the AWS Certified SysOps Administrator exam. Service-linked roles support service-specific actions that are defined in the service's documentation.
For example, the Amazon ECS service-linked role allows ecs:CreateCluster and ecs:RegisterTaskDefinition. Understanding these roles helps in designing secure architectures because they follow the principle of least privilege by default. Service-linked roles automate permission management for AWS services, reduce administrative overhead, and are a key concept for operational efficiency and security in AWS environments.
Troubleshooting Clues
Role assumption fails with 'AccessDenied' error
Symptom: When calling sts:AssumeRole, the user gets an 'AccessDenied' error even though they believe they have permissions.
The trust policy must explicitly allow the requesting principal to assume the role. Either the principal is not included in the trust policy, or there is a condition (e.g., MFA not enabled) that blocks the request. Also, the user's own IAM policy must allow 'sts:AssumeRole' on the role ARN.
Exam clue: Exams often present a scenario where a user can assume a role but receives access denied, testing whether the candidate checks both the trust policy and the user's permissions policy.
IAM role attached to EC2 instance not working
Symptom: Applications on the EC2 instance get 'Access Denied' errors when trying to access S3 or other services, even though a role is attached.
Common causes: the instance profile is not correctly associated, the instance metadata service is disabled, or the role's permissions policy does not include the required actions. Also, the trust policy may not include 'ec2.amazonaws.com' as a service principal.
Exam clue: Exam questions often test the correct trust policy for EC2: it must include 'Service: ec2.amazonaws.com' and 'sts:AssumeRole'. Also, verify the instance profile creation order.
Cross-account role assumption fails with 'MalformedPolicyDocument'
Symptom: When creating a trust policy for cross-account access, the API returns a 'MalformedPolicyDocument' error.
The trust policy JSON must be valid and follow the correct schema. Common mistakes include using commas incorrectly, missing quotes, or using an incorrect principal format (e.g., using 'AWS' instead of 'AWS' with a colon).
Exam clue: Exams test the exact JSON syntax for trust policies. For cross-account, the principal must be 'AWS': 'arn:aws:iam::ACCOUNT-ID:root'.
Role permissions boundary prevents actions even though policy allows
Symptom: An IAM role can see a policy that allows s3:PutObject, but the action fails with 'AccessDenied'.
A permission boundary is attached to the role that does not include s3:PutObject. Permissions are the intersection of the role's permissions policy and the boundary. If the boundary denies or omits the action, the action fails.
Exam clue: This is a classic exam trick: the role's policy allows the action, but the boundary is more restrictive. Always check the boundary in exam answer choices.
Service-linked role deletion fails
Symptom: When trying to delete a service-linked role (e.g., AWSServiceRoleForRDS), the console or CLI returns an error indicating the role is in use.
Service-linked roles cannot be deleted while there are active resources that depend on them. For example, you must delete all RDS instances before deleting the RDS service-linked role.
Exam clue: Exams test that you must first delete the associated service resources. This is a common scenario in SysOps and Developer exams.
Temporary credentials expire during long-running tasks
Symptom: A Lambda function that runs for more than 6 hours suddenly starts failing with 'ExpiredToken' errors.
IAM role temporary credentials have a maximum session duration (e.g., 6 hours for Lambda execution roles). The application must refresh credentials before expiration or use the AWS SDK's automatic refresh mechanism.
Exam clue: Exams test the maximum session duration for roles: default 1 hour for console, up to 12 hours for API, and 6 hours for Lambda. Understanding this helps in designing resilient architectures.
Role assumption from another account works in one account but not vice versa
Symptom: User in Account A can assume Role in Account B, but not the other way around.
Cross-account trust policies are not reciprocal. Each role's trust policy must explicitly list the other account's principal. The user in Account B must have permission to assume the role in Account A.
Exam clue: Exams frequently test the non-reciprocal nature of IAM roles. Roles do not automatically grant mutual access; each direction requires separate policies.
Memory Tip
Roles are like temporary badges: you assume them, not own them. Trust policy is the guard who checks your ID; permissions policy is the list of doors you can open.
Learn This Topic Fully
This glossary page explains what IAM role means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CISSPCISSP →CS0-003CompTIA CySA+ →SY0-701CompTIA Security+ →MD-102MD-102 →MS-102MS-102 →SC-900SC-900 →CLF-C02CLF-C02 →200-301Cisco CCNA →AZ-104AZ-104 →ACEGoogle ACE →CDLGoogle CDL →AZ-900AZ-900 →SAA-C03SAA-C03 →DVA-C02DVA-C02 →SOA-C02SOA-C02 →N10-009CompTIA Network+ →220-1101CompTIA A+ Core 1 →220-1102CompTIA A+ Core 2 →AZ-400AZ-400 →PCAGoogle PCA →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Quick Knowledge Check
1.Which of the following is required in an IAM role's trust policy for an EC2 instance to assume the role?
2.An IAM role has a permission boundary that allows only s3:GetObject and a permissions policy that allows s3:GetObject and s3:PutObject. What actions can the role perform?
3.What is the maximum session duration for temporary credentials obtained by assuming an IAM role via the AWS Management Console?
4.Why would deleting a service-linked role for Amazon RDS fail?
5.A developer receives an AccessDenied error when trying to assume an IAM role, even though the trust policy includes the developer's AWS account. What else must be true for the operation to succeed?
Frequently Asked Questions
Can an IAM role be used by multiple EC2 instances at the same time?
Yes, multiple EC2 instances can assume the same IAM role simultaneously. Each instance gets its own unique temporary credentials session, and they do not interfere with each other.
What is the difference between an IAM role and an IAM user?
An IAM user is a permanent identity with long-term credentials like a password or access keys. An IAM role is a temporary identity that does not have static credentials. Users are typically for people, roles are for services, applications, or federated access.
How do I grant a user in one AWS account access to a resource in another account?
Create an IAM role in the target account with a trust policy that includes the source account's ID. Then grant the user in the source account permission to call sts:AssumeRole for that role. The user can then assume the role and access the resource.
What is the maximum session duration for an IAM role?
The maximum is 12 hours, but the default is 1 hour. You can configure it when defining the role. For roles assumed by AWS services, the duration is typically set by the service.
Can I use an IAM role for an on-premises server?
Yes, you can use an IAM role for an on-premises server by configuring the server to call the STS AssumeRole API. However, you must securely store AWS credentials (like a user’s access keys) on the server to make the initial call. Alternatively, you can use AWS Identity Center or a federated identity provider.
What does the 'Trust Policy' do in an IAM role?
The trust policy defines which entities (services, accounts, users) are allowed to assume the role. It is like a security guard that checks the identity of the requester before granting access to the temporary credentials.
How do I revoke access granted through an IAM role immediately?
To revoke future access, you can update the trust policy to deny the entity or delete the role. However, existing sessions with active temporary credentials will remain valid until their expiration. For immediate revocation, you can also use the AWS IAM service to invalidate the credentials by attaching a policy that denies all actions for the role.
Is an IAM role the same as an Azure managed identity?
They are similar in concept. Both provide temporary credentials to an Azure resource (like a VM) so it can access other Azure services without storing keys. Azure managed identity is the equivalent of an IAM role in AWS. The implementation details differ, but the principle is the same.
Summary
An IAM role is a fundamental cloud security concept that allows entities to temporarily assume a set of permissions without using long-term credentials. This reduces the risk of credential theft and simplifies management. Roles are used in all major cloud platforms-AWS, Azure, and Google Cloud-and are tested in numerous certification exams.
Understanding the difference between trust policies and permissions policies, how roles integrate with services like EC2 and Lambda, and how they support cross-account access is essential for any IT professional. The principle of least privilege should guide role design: grant only the minimum permissions necessary.
For exams, remember that IAM roles are the preferred method for granting access to AWS compute services. Avoid using access keys for applications running on EC2. Look for trust policies, external IDs, and session duration in scenario questions. The most common mistake is confusing a role with a user or group. A role is assumed, not assigned. Master this concept, and you will be well-prepared for security-related questions across cloud and security certifications.