DEV Community

Cover image for PART 3: IAM ROLES
Ntseze-Nelvis
Ntseze-Nelvis

Posted on

PART 3: IAM ROLES

#aws #iam #devops #cloud

AWS IAM Roles Complete Guide

1. What is an IAM Role?

An IAM Role is an AWS identity with specific permissions, but unlike IAM Users, it does not have long-term credentials. Instead, it issues temporary security credentials that trusted entities (users, services, or applications) can assume.

Roles are crucial for granting cross-account access, enabling AWS services to interact securely, and reducing the need for static access keys.

2. Core Characteristics of IAM Roles

  • Temporary credentials: Short-lived session tokens via STS
  • Trust relationships: Defined in the trust policy (who/what can assume the role)
  • Permissions: Attached through IAM policies
  • Cross-account support: Share access between AWS accounts
  • Service roles: Allow AWS services (e.g., EC2, Lambda) to access resources
  • Federation: Integrates with external identity providers (AD, SAML, OIDC)
  • No permanent password or access key

3. Common Problems With IAM Roles

  • 🔴 Overly broad trust policies: Allowing * in trusted entities
  • 🔴 Excessive privileges: Granting AdministratorAccess instead of least privilege
  • 🔴 Credential sprawl workaround: Developers still using IAM User keys instead of roles
  • 🔴 Misconfigured service roles: EC2/Lambda roles missing permissions: failed workloads
  • 🔴 Session mismanagement: Session duration too short/too long

4. Solutions and Best Practices

Policy Management

  • Define least privilege policies
  • Use IAM Access Analyzer to detect overly permissive roles
  • Scope trust policies to specific principals (accounts, services, ARNs)

Security Hardening

  • Enforce role assumption via MFA where applicable
  • Monitor sts:AssumeRole activity with CloudTrail
  • Rotate role sessions frequently

Lifecycle Management

  • Audit unused roles
  • Tag roles for accountability (Team=Security)
  • Use AWS Organizations SCPs for guardrails

5. Industry Examples

  • Startup:EC2 assumes roles for S3/CloudWatch (no hard-coded keys)
  • Enterprise: SAML/AD federation; employees assume roles (no IAM Users)
  • Finance: MFA-protected roles for privileged access; quarterly audits
  • DevOps: CodePipeline assumes roles into target accounts for deployments

6. Interview Questions on IAM Roles

Basic Level

  • What is an IAM Role?
  • How does it differ from an IAM User?
  • What service generates temporary credentials for IAM Roles?

Intermediate Level

  • How do you configure cross-account access using IAM Roles?
  • What’s the difference between a service role and a service-linked role?
  • How do you enforce least privilege with roles?

Advanced Level

  • What are the security risks of an overly broad trust policy?
  • How do IAM Roles integrate with AWS Organizations?
  • How do you secure workloads using IAM Roles + external identity providers?

7. Hands-On Guide

Pre-checks

  • You must have iam:CreateRole permission
  • Decide: which service/user/account will assume the role?
  • Define trust policy + permission policy

Console Steps

  1. IAM Console → Roles → Create Role

Create Role

  1. Select trusted entity (AWS service, another account, or IdP)

Aws Service

  1. Attach permission policies (e.g., AmazonS3FullAccess)
    Amazons3FullAccess

  2. Add tags for management

Tags

  1. Review & create → Assign to EC2 or service

Review

CLI Examples

Create a role with trust policy

aws iam create-role \
  --role-name EC2S3AccessRole \
  --assume-role-policy-document file://trust-policy.json
Enter fullscreen mode Exit fullscreen mode

Difference between IAM USER and IAMROLES

🙏 Thanks for reading! If this guide helped you:

React & follow for more AWS/DevOps deep dives

Share your experiences or questions in the comments

Spread this with your team/community

Stay tuned for the next post in the AWS IAM Deep Dive series!

Top comments (0)