Overview

• The access control / permission management service for all AWS services

Concepts

• Root user
  • The account owner, a user with god-like (unlimited) access to all resources in this account
• IAM user
  • A user created by root user or other users with permissions, whose access can be limited
• Role
  • An IAM user without permanent credentials
  • To act as this user one must acquire a temporary token from IAM service, a process called “assuming a role”
  • Used mostly to grant permissions to AWS services so they can talk to each other
  • Can also be used to grant temporary access to third party entities (non-AWS users)
• Policy
  • A set of rules that allows / denies access to certain AWS services
  • Can be attached to multiple users / roles

Assuming a Role

• User creates a role (RoleA), select a service that can assume this role
• User creates a resource in the service, e.g. launching an EC2 instance, a RDS cluster, etc. with RoleA as the linked role
  • The service implicitly checks whether the user has correct iam::PassRole permission
  • If the user has access, then the resource is launched with RoleA information embedded
• When the service needs the accesses provided by RoleA, it calls sts::AssumeRole to get a temporary token and use that token to act on behalf of RoleA, thus get all accesses of RoleA

Important takeaways:

• There is no iam::PassRole API, it is a permission / contract that all AWS services will obey
• Any AWS resource requires a role to be attached during creation will check iam::PassRole permission of the user to see whether this user has the permission to attach a given role
• This prevents a user to attach a role with unlimited access thus bypass its own access limitations
• sts::AssumeRole permission is usually open so the service can assume any role it is attached