Introduction to IAM Roles in AWS

This lesson provides an overview of IAM Roles, the final major component of AWS Identity and Access Management (IAM). Below, we’ll summarize the concept of IAM Roles, their purpose, and examples of how they are used.

What Are IAM Roles?

• An IAM Role is a method to grant permissions to AWS services or applications to perform actions on your behalf.
• Similar to users, IAM Roles have permissions attached to them. However, roles are not intended for human users; they are meant for AWS services like EC2, Lambda, or CloudFormation.

Why Use IAM Roles?

• Certain AWS services need permissions to perform tasks.
  • For example, an EC2 instance might need to retrieve data from S3 or perform operations in your AWS account.
• IAM Roles allow AWS services to act as entities with permissions to perform actions without needing credentials like usernames or passwords.

How IAM Roles Work

1. Role Assignment: The IAM Role is created with specific permissions (via policies).
2. Service Assumption: An AWS service (e.g., EC2) is assigned the role.
   • Together, the service and the role form a single entity.
3. Permission Checks: When the service performs an action, it checks the role’s attached permissions.
   • If the permissions allow the action, it succeeds; otherwise, it is denied.

Common Use Cases for IAM Roles

1. EC2 Instance Roles:
   • Used when an EC2 instance needs to access other AWS resources (e.g., reading an S3 bucket or interacting with DynamoDB).
2. Lambda Function Roles:
   • Lambda functions often need permissions to interact with other AWS services like S3, SNS, or DynamoDB.
3. CloudFormation Roles:
   • Used to grant permissions for CloudFormation stacks to create, modify, or delete resources on your behalf.