Amazon Web Services relies on the AWS IAM service to manage who is authenticated and authorized to use AWS resources. it plays a very important role inAWS Security— as do its various identities. Let's take a closer look at IAM roles and how they work.
What is the purpose of IAM?
When you create an AWS account, it has a single sign-on (SSO) identity called the AWS account root user, which has full access to AWS services and resources. To avoid potentially catastrophic problems caused by this unrestricted access, IAM allows access to AWS accounts through identity sharing.
Based on a security-first model, AWS restricts all operations for all identities by default—except for the root user. This restriction allows us to manage granular access to identities following the principle of least privilege, so permissions are only granted when required to perform day-to-day tasks.
What are IAM roles?
AWS users, federated identities, and AWS roles are three categories of AWS identities. An IAM role is conceptually similar to an AWS user, but a user is uniquely associated with a principal (user/application, etc.), and the role can be assumed by anyone who needs it.
Temporary security credentials are given to whoever assumes the role, not passwords or access keys. This removes the overhead of managing users and their long-term credentials.
Any of the following entities can assume a role to use its permissions:
● AWS users from the same account
● AWS users from different accounts
● AWS services
● Federated Identity
Structure of IAM roles
The two fundamental aspects of IAM roles are the trust policy (who can assume the IAM role) and the permissions policy (what the role allows users to do).
Trust policies use specified conditions to define and control which principals can assume the role. They prevent the misuse of IAM roles by unauthorized or unintended entities.
A rights policy defines what a principal assuming the role can do.
Types of IAM roles
An AWS IAM role falls into one of the following main categories based on its trust policy:
● Service role
● Service-linked roles
● Web identity roles
● SAML 2.0 federated roles
● Custom IAM roles
service role
AWS services are trusted entity types for these roles, which are created to allow AWS services to perform actions on behalf of users. They do this by inheriting the permissions assigned to the service role.
You might be wondering why AWS services need permissions to access each other. This is because, by default, even AWS services cannot access resources in an AWS account. However, service roles allow AWS services to access resources according to their requirements.
Most AWS services rely on service roles to function optimally. For example, they allow Cloudformation to create and delete resources on behalf of users based on YAML or JSON files. An Amazon EC2 IAM role is a special type of service role. EC2 relies on the instance profile as a container for an IAM role, which is then assumed by applications running in the EC2 instance to perform the actions allowed by the role.
service-linked roles
A service-linked role is a unique IAM role associated with an AWS service. It simplifies the process of setting up services by automatically adding all the permissions the service needs to perform actions on behalf of the user. It is predefined by the service. Most service-linked roles do not allow changes to trust or permissions policies.
web identity roles
When users log into AWS using identity providers (IdPs) such as Amazon and Facebook, they assume web identity roles. Users have no identity within AWS; in exchange for an authentication token, they get temporary security credentials in AWS that map to an IAM role that is authorized to use resources in the AWS account.
SAML 2.0 Federation Roles
These roles are assumed by users contained in external user directories, usually within the organization. This enables federated single sign-on (SSO), so organizations can grant users access to the AWS console and CLI without creating separate IAM users for each. Organizations that manage their employees in Microsoft Azure Active Directory can connect directly to AWS and provide their users with access to the AWS console and CLI based on the permissions provided to SAML 2.0 federated roles.
Custom IAM roles
Custom IAM roles are not suitable for any other categories and support scenarios than those listed above.
What is the time limit for taking on the role?
An entity can assume a role as long as the session duration attribute of the IAM role dictates. For example, if a role's session duration is set to 12 hours, the temporary credentials will expire 12 hours after they are issued.
If you assume a role using the assume-role* commands, you can use the duration-seconds flag to specify a value for the session duration, ranging from 15 minutes to the maximum session duration allowed for that role. The default duration is one hour, but can be extended up to 12 hours. Session duration can be adjusted by editing the role.
What about the character chain?
A role can assume another role in a process called role chaining. A role chain cannot exceed one hour of a user's session; it does not respect the role's maximum session duration field.
and cross-account access?
IAM roles are often used to enable cross-account access—the process of using a principal in one account to access resources in a different account. Organizations typically maintain multiple AWS accounts to segregate environments such as development, staging, test, UAT, and production, and they grant identities from one account access to resources in another account.
This could be taking the data from the production account and then anonymizing it and copying it to the UAT account so that the frequency and attributes of the data are the same. This keeps the UAT environment as close to the production environment as possible.
How are IAM roles different from resource-based policies?
Both identity-based policies and resource-based policies are permission policies, but identity-based policies are attached to identities such as users, roles, or groups, while resource-based policies are attached to resources such as S3, Amazon SQS queues, or VPC endpoints.
Identity-based policies specify the actions an identity can take and on which resources, while resource-based policies determine who is allowed access to the resources they are linked to and specify the actions they can perform. Resource-based policies must be inline rather than managed. This list provides details about which resources support resource-based policies.
Where there are both identity and resource-based policies, AWS evaluates them together. An action is allowed if one or both policies allow it. If either policy contains an explicit DENY, it overrides ALLOW.
Instead of using roles as proxies, you can provide cross-account access using only resource policies. This is accomplished by attaching resource-based policies on the resources you want to share. This resource policy contains all principals allowed to access this resource, in contrast to identity-based policies, which specify the resources a principal has access to.
There are advantages to using resource-based policies for cross-account access rather than roles.
When users assume a role, they relinquish permissions they had in trusted accounts so that they can protect permissions in trust accounts (accounts with shared resources). Using resource-based policies, users can retain their permissions in trusted accounts, and they can also securely access shared resources in trusted accounts. The principal has access to both accounts.
AWS IAM roles are everywhere
AWS IAM Roles Anywhere is aservice typeA role that allows local machines or workloads (such as servers, containers, and applications) outside of AWS to access resources on AWS by obtaining temporary security credentials. This completely removes the hassle of managing long-term credentials.
The workload needs to have an X.509 certificate issued by a certificate authority, which must be registered as a trust anchor in IAM Roles Anywhere. While this is a relatively new use case, it marks a step toward minimizing the use of long-lived credentials.
Benefits of Using IAM Roles
● Does not manage long-term security credentials
● Supports single sign-on (SSO) using SAML 2.0
● Supports web identity federation, allowing users to log in through popular external identity providers (IdPs) such as Amazon, Facebook, and Google
● Enhanced security posture because you do not have to rotate and replace short-lived credentials (the expiration is already associated with them).
● Supports use cases such as cross-account access, identity federation, AWS IAM Roles Anywhere
key points
IAM roles are a key pillar of support, not only for IAM services, but for the entire authentication and authorization process. Their value goes beyond applications such as cross-account access, AWS IAM Roles Anywhere, and identity federation, and are important to significantly enhancing any organization's security posture. They can be very useful in IAM when used to their full potential.
Recent articles by Mariusz Michalowski
- How DevOps Can Help Secure Deployments
- How IaC Helps Ease Development Pain Points
More Works from Mariusz Michalowski
related articles
- AWS Identity and Access Management (IAM) roles and how to use them
- AWS Key Management Service
- Top 5 AWS Security Mistakes: Leaked S3 Buckets
- related categories
- Application Performance Management/Monitoring
- blog
- DevOps business
- DevOps Practice
- DevSecOps
- Identity and Access Management
- related topics
- amazon
- AWS
- IAM roles
- identity
- Identity and Access Management
show more
show less
FAQs
AWS Identity and Access Management (IAM) roles and how to use them? ›
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
How are AWS IAM roles used? ›AWS Identity and Access Management (IAM) roles are entities you create and assign specific permissions to that allow trusted identities such as workforce identities and applications to perform actions in AWS. When your trusted identities assume IAM roles, they are granted only the permissions scoped by those IAM roles.
How to assign the roles in AWS to users for access using IAM? ›In the AWS Management Console section, under Delegate console access, choose the IAM role name for the existing IAM role that you want to assign users to. If the role has not yet been created, see Creating a new role. On the Selected role page, under Manage users and groups for this role, choose Add.
What type of roles are available in IAM? ›Role types
There are three types of roles in IAM: Basic roles, which include the Owner, Editor, and Viewer roles that existed prior to the introduction of IAM.
In summary, IAM Basic roles offer more customization and flexibility, while IAM Predefined roles provide convenience and ease of use, but with less flexibility. The choice of which type of roles to use depends on the specific needs and requirements of the organization.
What is the difference between IAM roles and policies? ›The difference between IAM roles and policies in AWS is that a role is a type of IAM identity that can be authenticated and authorized to utilize an AWS resource, whereas a policy defines the permissions of the IAM identity.
What is the difference between AWS IAM group and role? ›Users: An IAM user interacts with your AWS resources from the AWS console and the AWS CLI. By default, a new IAM user has no access to any AWS resource. Groups: An IAM group consists of IAM users and permissions assigned to those users. Roles: An IAM role is an entity with a specific set of permissions.
How many IAM roles can be created per AWS account? ›You can have up to 300 IAM groups per account. Attach the managed policy to the IAM user instead of the IAM group. You can attach up to 20 managed policies to IAM roles and users.
How do you allow an IAM role to assume another role? ›To allow users to assume the current role again within a role session, specify the role ARN or AWS account ARN as a principal in the role trust policy.
How do I assume IAM role from another account? ›Navigate to IAM > Roles and click on Create New Role. Select Another AWS account, and provide Account ID, and click on Next:Permissions. Enter the AWS account ID of the AWS account which can assume this role.
What two policies are assigned to an IAM role? ›
An IAM role is both an identity and a resource that supports resource-based policies. For that reason, you must attach both a trust policy and an identity-based policy to an IAM role. Trust policies define which principal entities (accounts, users, roles, and federated users) can assume the role.
Can an IAM role assume multiple roles? ›Technically, you can assume multiple IAM roles at the same time but the permissions will not be aggregated. Assuming an IAM role doesn't change who you are or what permissions you have.
Why do we need IAM roles? ›Q: Why should I use IAM roles? You should use IAM roles to grant access to your AWS accounts by relying on short-term credentials, a security best practice. Authorized identities, which can be AWS services or users from your identity provider, can assume roles to make AWS requests.
What are the 4 components of IAM? ›IAM components can be classified into four major categories: authentication, authorisation, user management, and central user repository.
Which three are the components of identity and access management? ›- Access Management. ...
- Identity Governance and Administration. ...
- Privileged Access Management. ...
- Customer IAM. ...
- Adjacent Technologies.
Here are simple examples of IAM at work. When a user enters his login credentials, his identity would be checked against a database to verify if the entered credentials match the ones stored in the database. For example, when a contributor logs into a content management system, he's allowed to post his work.
Which best describes the IAM roles? ›Granting access through identity federation to externally authenticated users (i.e. users authenticated through a mobile or web-based application). Providing controlled access to third-party tools for monitoring or anything else like that.
Can an IAM role be a principal? ›Specifying a principal
You can specify any of the following principals in a policy: AWS account and root user. IAM roles. Role sessions.
A group is a collection of users, while a role is a collection of privileges (permissions and rights). Semantically, a user is added to a group, while a role is assigned to a user. A group is used to simplify account management or reflect organizational structure.
What is the difference between a security group and a role? ›Security Groups allow you to define groups of users with particular access rights defined by the roles attached to the group. Groups can also be used to assign records to teams of users. Roles are used to define access rights to modules and determine what a user can do with a record once they have access to it.
What are the limitations of IAM? ›
IAM names have the following requirements and restrictions: Policy documents can contain only the following Unicode characters: horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.
How many roles can be attached to an instance? ›You can attach only one role to ec2 instance. Refer this amazon document: IAM Roles for Amazon EC2.
What are the requirements for IAM? ›IAM requirements are organized into four categories: Account Provisioning & De-provisioning, Authentication, Authorization & Role Management, and Session Management.
Who can not assume IAM roles? ›IAM Role (arn:aws:iam::xxxx:role/xxxx) cannot be assumed. There are a number of possible causes of this - the most common are: The credentials used in order to assume the role are invalid. The credentials do not have appropriate permission to assume the role.
What is the advantage of IAM role with EC2? ›Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your Amazon EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.
How do I change my IAM role for instance? ›Choose Actions, choose Instance Settings and then Attach/Replace IAM role from the drop-down list. On the Attach/Replace IAM role page, choose a role to attach (in this example, I choose EC2Role1) from the drop-down list. Note: You also can create a new role by choosing Create new IAM role.
Can I assume role in the same AWS account? ›You can access the same account using AssumeRole by attaching a policy to the user (identical to the previous user in a different account) or by adding the user as a principal directly in the role trust policy.
Can an IAM user create another user? ›There is no concept of "sub-IAM users." An IAM user is an IAM user. The user has permissions to create other IAM users because you haven't denied the iam:* policies.
What is the difference between IAM role and permission? ›An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
What is the best practice for IAM policy? ›IAM Policies Best Practices
Follow Least Privilege Principles: When creating IAM policies grant only the necessary permissions to perform the job. Specify specific actions, resources, and principles and add custom conditions to achieve the required controls.
Are IAM policies attached only to groups or roles? ›
IAM policies should be applied directly to groups and roles, not to users, according to our recommendations. One way to do this is to remove direction associations between users and policies. Open the IAM console in the AWS Management Console after logging in. Click "Users" in the left menu pane.
What is the difference between role and instance profile? ›Roles are designed to be “assumed” by other principals which do define “who am I?”, such as users, Amazon services, and EC2 instances. An instance profile, on the other hand, defines “who am I?” Just like an IAM user represents a person, an instance profile represents EC2 instances.
What is IAM in simple words? ›AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can centrally manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.
What are the three categories of IAM? ›Broadly speaking, these systems can be broken into three categories: Access management, authentication, and administration.
How many phases are there in IAM? ›We broadly describe the process in terms of four major phases (Scholes et al., 2013): 1) scoping, 2) problem framing and formulation, 3) assessing options and 4) communicating fi ndings.
What is IAM framework? ›An IAM framework often includes a variety of solutions, tools, processes, policies, and technologies designed to ensure the right individuals have the right access to enterprise assets; to help security professionals manage and monitor the user lifecycle; and to protect enterprise assets from both internal and external ...
Which three 3 are common methods of access control? ›- Discretionary Access Control (DAC)
- Role-Based Access Control (RBAC)
- Attribute-Based Access Control (ABAC)
IAM systems don't just create identities and assign permissions—they also help enforce those permissions through authentication and authorization. Authentication is how users prove they are who they claim to be.
What are IAM principals? ›Principals. A person or application that uses the AWS account root user, an IAM user, or an IAM role to sign in and make requests to AWS. Principals include federated users and assumed roles.
Is IAM authentication or authorization? ›As the name indicates, IAM concerns both verifying users' identity (authentication) and granting them access to data based on that identity (authorization). These concepts are interrelated but not interchangeable, and understanding each is critical to grasp the larger meaning of IAM.
How does an IAM user assume a role? ›
The administrator of the specified account can grant permission to assume this role to any IAM user in that account. To do this, the administrator attaches a policy to the user or a group that grants permission for the sts:AssumeRole action. That policy must specify the role's ARN as the Resource .
What are the benefits of using IAM roles for applications that run on EC2 instances? ›Use IAM Roles/Instance Profiles instead of IAM Access Keys to appropriately grant access permissions to any application that perform AWS API requests running on your Amazon EC2 instances. With IAM roles you can avoid sharing long-term credentials and protect your instances against unauthorized access.
When should you use an IAM user? ›A user is made up of a name, password for the AWS Management Console and access keys to use with the API or CLI. Unlike roles, users are associated with long-term credentials. An IT pro typically chooses to be an IAM user when they create an AWS account and they are the only one that uses it.
Which of the following are IAM best practices? ›- Require multi-factor authentication (MFA) ...
- Rotate access keys regularly for use cases that require long-term credentials. ...
- Safeguard your root user credentials and don't use them for everyday tasks. ...
- Set permissions guardrails across multiple accounts.
You can attach only one role to ec2 instance. Refer this amazon document: IAM Roles for Amazon EC2.
What is the difference between user roles and permissions? ›Roles provide a way for community administrators to group permissions and assign them to users or user groups. Permissions define the actions that a user can perform in a community. When they assign roles, community administrators consider the tasks of a user in the context of a particular community.
What is the difference between role and user? ›A role typically defines a business function (or set of functions) performed by one or more users. Examples would be 'customer service agent' or 'business analyst'. A user is an individual person who is included in the role - Bob, Nancy, and Steve might be assigned to the customer service agent role.
How do I add an IAM role to an instance profile? ›- Open the Amazon EC2 console, and then choose Instances.
- Choose the instance that you want to attach an IAM role to.
- Check the IAM role under the Details pane to confirm if an IAM role is attached to the Amazon EC2 instance. ...
- Choose Actions, Security, and then choose Modify IAM role.