Understanding IAM Roles: The Dual Nature of AWS Identity and Access Management

Farooq ButtFarooq Butt
4 min read

When studying AWS Identity and Access Management (IAM), one concept that often trips up both beginners and experienced practitioners is the dual nature of IAM roles. A recent discussion I had with my mentor highlighted a common point of confusion: Are IAM roles really AWS resources, and can they have resource-based policies?

The answer might surprise you, so let's dive deep into this fascinating aspect of AWS security architecture.

The Question That Started It All

While reviewing AWS documentation, i came across this statement:

"Resource-based policies are permissions policies that are attached directly to an AWS resource, such as an S3 bucket or an IAM role."

This raised an important question: Is an IAM role actually an AWS resource? And if so, do resource-based policies really attach to IAM roles?

The Surprising Answer: Yes, But With a Twist

According to AWS documentation, IAM roles are indeed AWS resources – but they're special because they serve a dual purpose:

  1. As an Identity: IAM roles can be assumed by principals (users, services, applications)

  2. As a Resource: IAM roles can have policies attached to them

This makes IAM roles unique in the AWS ecosystem. They're the only IAM identity that also functions as a resource with its own resource-based policy.

Understanding Trust Policies: The Resource-Based Policy for IAM Roles

Here's where it gets interesting. The specific type of resource-based policy that attaches to IAM roles is called a Trust Policy.

According to AWS documentation:

"The IAM service supports only one type of resource-based policy called a role trust policy, which is attached to an IAM role."

How IAM Roles Work: Two Policies, Two Purposes

Every IAM role requires two types of policies to function:

1. Trust Policy (Resource-Based Policy)

  • Purpose: Defines WHO can assume the role

  • Type: Resource-based policy

  • Attached to: The IAM role itself

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

2. Permissions Policy (Identity-Based Policy)

  • Purpose: Defines WHAT the role can do when assumed

  • Type: Identity-based policy

  • Attached to: The IAM role as an identity

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::my-bucket/*"
    }
  ]
}

A Practical Example

Let's say you want to create an IAM role for an EC2 instance to access S3:

Step 1: Create the Trust Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Translation: "EC2 service is allowed to assume this role"

Step 2: Attach Permissions Policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::my-app-bucket/*"
    }
  ]
}

Translation: "When this role is assumed, it can read and write objects in my-app-bucket"

Why This Matters for Cloud Architects

Understanding this dual nature is crucial for several reasons:

1. Security Design

When designing cross-account access or service-to-service communication, you need to think about both:

  • Who should be able to assume the role (trust policy)

  • What permissions the role should have (permissions policy)

2. Troubleshooting Access Issues

If a service can't assume a role, check the trust policy. If it can assume the role but can't perform actions, check the permissions policy.

3. Principle of Least Privilege

You can implement fine-grained access control by carefully crafting both policies:

  • Restrict who can assume the role

  • Limit what the role can do when assumed

Common Misconceptions

Misconception 1: "IAM roles are just identities"

Reality: IAM roles are both identities AND resources.

Misconception 2: "Resource-based policies don't apply to IAM"

Reality: Trust policies are resource-based policies specifically for IAM roles.

Misconception 3: "You only need permissions policies for roles"

Reality: You need both trust policies and permissions policies for roles to function.

Key Takeaways

  1. IAM roles are unique – they're the only AWS identity that also functions as a resource

  2. Trust policies are resource-based policies that define who can assume the role

  3. Two policies are always required for IAM roles to work properly

  4. Understanding this dual nature is essential for effective AWS security architecture

Conclusion

The dual nature of IAM roles – serving as both identities and resources – is one of those AWS concepts that seems simple on the surface but reveals layers of complexity as you dig deeper. This understanding is not just academic; it's practical knowledge that will help you design more secure and efficient cloud architectures.

Next time you're working with IAM roles, remember: you're not just dealing with an identity that can perform actions. You're working with a resource that has its own access controls, determining who gets to use that identity in the first place.

I regularly post about cloud, networks, AI & security. Follow Farooq Butt to stay updated on recent developments.

0
Subscribe to my newsletter

Read articles from Farooq Butt directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWScloud securityIAMiam role in awsIAM Identitiescompliance Securitycybersecurity

Written by

Farooq Butt
Farooq Butt

Cloud, networks, AI & security—applied. Short, practical posts for practioners who want real configs, examples, guardrails, and measurable savings.