IAM Roles for Services
Jay Tillu
🔐 What is IAM?
IAM (Identity and Access Management) is AWS’s way of controlling who can do what in your AWS environment. IAM helps you manage access to AWS services and resources securely.
🤖 What is an IAM Role?
An IAM Role is an AWS identity with a set of permissions (a permissions policy) but no username or password. It defines what actions are allowed or denied on specific resources.
Unlike IAM users, roles are not associated with a specific person or service — instead, they can be assumed temporarily by trusted entities, like:
AWS services (e.g., EC2, Lambda, ECS)
Other AWS accounts
Users/federated identities (SSO, Active Directory, etc.)
Two policy types
Trust Policy (Who can wear the badge) - This is the list of approved wearers. It says exactly which AWS service, user, or account is allowed to pick up and use the badge. For example: “Only EC2 instances can assume this role.”
Permissions Policy (“What can they do with it?”) - This is the set of rules printed on the badge itself. It spells out what actions the badge‐holder is allowed to perform—like “read files from bucket X” or “write logs to CloudWatch.”
So:
Trust policy = who’s allowed to grab the role.
Permissions policy = what they’re allowed to do once they have it.
🛠️ Example: EC2 Instance Accessing S3
Problem:
You want an EC2 instance to read files from an S3 bucket, but you don't want to store or hardcode AWS access keys on the instance. Because:
Hardcoding AWS credentials is insecure.
If your EC2 instance gets compromised, your AWS Access Key and Secret Key could be stolen.
It’s hard to rotate/expire hardcoded credentials.
Solution
Create an IAM Role with permissions to access S3 (e.g.,
s3:GetObject).Attach this role to your EC2 instance when you launch it (or later).
The EC2 instance will then assume the IAM Role automatically.
The instance can now securely call S3 APIs using temporary credentials provided by AWS.
✅ No need to store long-term credentials. AWS handles temporary credentials behind the scenes.
🔁 How IAM Roles for Services Work
You define a trust policy — who can assume the role (e.g.,
ec2.amazonaws.com,lambda.amazonaws.com).You define a permissions policy — what actions are allowed (e.g., access to S3, DynamoDB, etc.).
AWS automatically rotates and manages the temporary credentials for the service using the role.
Common Service-Role Types
| Role Type | Attached To | Typical Use-Case |
| Instance Profile | EC2 instance | Grant EC2 access to S3, SSM, CloudWatch, etc. |
| Lambda Execution Role | Lambda function | Allow Lambda to invoke other AWS services (DynamoDB, SQS…). |
| Task Role | ECS task | ECS containers access AWS APIs without baking in keys. |
| Service-Linked Role | Managed by AWS service | AWS–created role with predefined trust & permissions (e.g., AWS Auto Scaling). Cannot be deleted unless the service is disabled. |
Further Reading & AWS Docs
More AWS SAA Articles
Follow me for more such content
Subscribe to my newsletter
Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jay Tillu
Jay Tillu
Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!