IAM roles allow you to delegate access to users or services that normally don't have access to your organization's AWS resources. IAM users or AWS services can assume a role to obtain temporary security credentials that can be used to make AWS API calls. Consequently, you don't have to share long-term credentials or define permissions for each entity that requires access to a resource.

Secure access to AWS services by using IAM roles (6:04)

The following scenarios highlight some of the challenges that you can address by delegating access:

  • Granting applications that run on Amazon EC2 instances access to AWS resources

To grant applications on an Amazon EC2 instance access to AWS resources, developers might distribute their credentials to each instance. Applications can then use those credentials to access resources such as Amazon S3 buckets or Amazon DynamoDB data. However, distributing long-term credentials to each instance is challenging to manage and a potential security risk. The video above describes how to use roles to address this security concern in more detail.

  • Cross-account access
To control or manage access to resources, such as isolating a development environment from a production environment, you might have multiple AWS accounts. However, in some cases, users from one account might need to access resources in the other account. For example, a user from the development environment might require access to the production environment to promote an update. Therefore, users must have credentials for each account, but managing multiple credentials for multiple accounts makes identity management difficult. Using an IAM role can simplify this. See the Trend Micro case study to see cross account access in action.
  • Granting permissions to AWS services
Before AWS services can perform actions for you, you must grant them permissions to do so. You can use IAM roles to grant permissions for AWS services to call other AWS services on your behalf, or create and manage AWS resources for you in your account. AWS services such as Amazon Lex also offer service-linked roles that are predefined and can be assumed only by that specific service.

For more about how to manage roles in IAM, see the Roles section of the Using IAM guide.

Learn how to manage permissions with IAM

Visit the permissions management page
Ready to build?
Get started with IAM
Have more questions?
Contact us