Mastering AWS IAM Roles: A Practical Guide

Published August 30, 2024 · by Eric Wilson · in aws

Understand the power of IAM Roles in AWS by exploring the most common use cases, from granting EC2 instances access to S3 to enabling cross-account access.

In AWS, managing permissions is a critical part of security. While IAM users represent a person or application, an IAM Role is an identity with permissions that can be assumed by a trusted entity. Unlike a user, a role does not have its own long-term credentials (like a password or access keys). Instead, when an entity assumes a role, it gets temporary security credentials.

This is the most secure and flexible way to delegate permissions in AWS. Let's explore the most common use cases.

Use Case 1: Granting AWS Service Access to EC2 Instances

This is the canonical example. You have an EC2 instance that needs to read objects from an S3 bucket. The insecure way would be to hardcode an IAM user's access keys on the instance. The secure, correct way is to use an IAM Role.

How it Works:

  1. Create an IAM Policy: Define a policy that grants the required permissions (e.g., s3:GetObject on a specific bucket).
    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-app-bucket/*"
        }
    ]
}
  2. Create an IAM Role: Create a role and specify its trust policy. The trust policy defines who can assume the role. In this case, the trusted entity is the EC2 service (ec2.amazonaws.com).
  3. Attach the Policy: Attach the permissions policy you created in step 1 to the role.
  4. Launch EC2 with the Role: When you launch your EC2 instance, you associate it with the role you created. The EC2 metadata service then makes temporary credentials available to any application running on the instance. AWS SDKs (like Boto3) automatically know how to find and use these credentials.

Now, your application code on the EC2 instance can access S3 without any hardcoded keys.

Use Case 2: Enabling Cross-Account Access

Imagine you have two AWS accounts: a Development account and a Production account. You want to allow a user or service in the Development account to access resources (like an S3 bucket) in the Production account.

How it Works:

  1. In the Production Account (the trusting account):

    • Create an IAM Role.
    • In the trust policy, specify the AWS account number of the Development account as the trusted principal. You can even specify a particular user or role within that account.
    {
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, // 1111... is the Dev account ID
        "Action": "sts:AssumeRole"
    }
}
    • Attach a permissions policy to this role that grants access to the desired resources in the Production account (e.g., s3:GetObject).

  2. In the Development Account (the trusted account):

    • Create a policy that allows a user or role to call sts:AssumeRole on the ARN of the role you just created in the Production account.
    • Attach this policy to the user or role that needs access.

Now, the user in the Development account can programmatically assume the role in the Production account to get temporary credentials that are valid for accessing the production resources.

Use Case 3: Lambda Execution Role

Every AWS Lambda function has an execution role. This is an IAM role that the function assumes when it runs. The permissions attached to this role determine what other AWS services the function can interact with.

How it Works:

  1. Create an IAM Role: The trusted entity is the Lambda service (lambda.amazonaws.com).
  2. Attach Policies:
    • Basic Execution Policy: At a minimum, the role needs permissions to write logs to CloudWatch (AWSLambdaBasicExecutionRole managed policy).
    • Service-Specific Policies: If your function needs to read from DynamoDB, you must attach a policy that grants dynamodb:GetItem permissions. If it needs to write to an SQS queue, it needs sqs:SendMessage permissions.

By following the principle of least privilege, you should always scope the execution role's permissions to only what the function absolutely needs to do its job.

Why Roles are Better Than IAM Users

  • No Long-Lived Credentials: Roles use temporary credentials that are automatically rotated, which is a huge security win. You never have to worry about leaked access keys.
  • Centralized Auditing: All actions performed by assuming a role are logged in CloudTrail under that role's context, making it easier to audit who did what.
  • Flexibility: They provide a clean mechanism for delegation that is fundamental to building secure and scalable applications on AWS.

Conclusion

IAM Roles are a fundamental building block of AWS security. While IAM users are for establishing identity, IAM Roles are for delegating permissions. Mastering their use—for service access, cross-account delegation, and Lambda execution—is a critical step in becoming a proficient AWS practitioner.

Back to All Blogs