IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don't have to share long-term credentials or define permissions for each entity that requires access to a resource.
Adobe Flash Player or a modern browser is required to view videos on this site.
- Introducing an Easier Way to Delegate Permissions to AWS Services: Service-Linked Roles
- Adhere to IAM Best Practices in 2016
- How to Use a Single IAM User to Easily Access All Your Accounts by Using the AWS CLI
- Test Your Roles' Access Policies Using the AWS Identity and Access Management Policy Simulator
- Make a New Year’s Resolution: Adhere to IAM Best Practices
- Enable a New Feature in the AWS Management Console: Cross-Account Access
- Sharing AWS CloudTrail Log Files Between Accounts
The following scenarios highlight some of the challenges that you can address by delegating access:
- Granting applications that run on Amazon EC2 instances access to AWS resources
To grant applications on an Amazon EC2 instance access to AWS resources, developers might distribute their credentials to each instance. Applications can then use those credentials to access resources such as Amazon S3 buckets or Amazon DynamoDB data. However, distributing long-term credentials to each instance is challenging to manage and a potential security risk. The video above desribes how to use roles to address this security concern in more detail.
- Cross-account access
To control or manage access to resources, such as isolating a development environment from a production environment, you might have multiple AWS accounts. However, in some cases, users from one account might need to access resources in the other account. For example, a user from the development environment might require access to the production environment to promote an update. Therefore, users must have credentials for each account, but managing multiple credentials for multiple accounts makes identity management difficult. Using an IAM role can simplify this. See the Trend Micro case study to see cross account access in action.
- Granting permissions to AWS services
Before AWS services can perform actions for you, you must grant them permissions to do so. You can use AWS IAM roles to grant permissions for AWS services to call other AWS services on your behalf, or create and manage AWS resources for you in your account. AWS services such as Amazon Lex also offer service-linked roles that are predefined and can be assumed only by that specific service.