Groups and Roles

IAM Groups

An IAM Group is a collection of IAM Users. This is used to prevent applying common policies (bunch of permissions) to users individually and instead apply them to the group, of which the users will be part of. This works, because the policies are flow down to individual users, as inheritance of the group membership. Hence, any policy changes done to an AWS Group will automatically be reflected to AWS IAM Users within the particular group.

Group Creation

Creating Group with Administrator privileges:

IAM Roles

IAM Roles are temporary permissions given to either people or apps to perform a certain task. Consider IAM Role as a hat, whoever assumes it, gets the permissions attached to the role.

An example of It being particularly useful is to consultants or contractors who join the company for a specific project and don't need permanent access to the client's company.

They are a also popular choice for Applications i.e., whatever application requires, give it via an IAM role.

IAM Role can be assigned to an AWS service or AWS IAM user account (same account or even different AWS account) or a federated identity (both Web based or SAML 2.0).

Benefits:

• No long term credential

• No requiring embedding of permanent credentials to applications

• No IAM user creation for consultants/contractors or other AWS account users

• Allows for federation

AWS AssumeRole enables entities like IAM users or AWS services to temporarily acquire the permissions and access rights of another AWS entity by assuming a specific role. This delegation is defined through a trust policy, which specifies the trusted entities that can assume the role.

Here’s how it works:

1. An entity requests to assume a role by calling the AssumeRole API operation or assumes the role via the AWS Management Console.

2. AWS validates the entity’s permissions against the trust policy attached to the role. The trust policy specifies who can assume the role, typically within the same or different AWS accounts.

3. Once authorized, AWS generates temporary security credentials for the entity, granting access based on the permissions defined in the role’s policies.

4. The entity can now perform actions and access resources using the temporary credentials, limited to the permissions of the assumed role.

To assume an IAM role, one needs a trust relationship that will be configured in trust policy. Just like MSFT Active Directory, there is a trusting account (whose resources are accessed) and there is trusted account (that contains the users accessing the resources of the trusting account).

So, to summarize, for IAM Roles to be effective, there are two types of Policy that are required:

• Permission Policy - Define what actions and resources for an IAM Role

• Trust Policy - Define who is allowed to assume an IAM Role. Note in trust policy, another role is also allowed, i.e. role within a role or role chaining.

A Trust policy looks as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/AnotherUser"
            },
            "Action": "sts:AssumeRole"
            "Resource": "arn:aws:iam::123456789012:role/Role-A"
        }
    ]
}

Service Role

AWS services assume the service role to perform action on user's behalf. Two types of service roles, with the difference between the two is that one is user defined (service role) and other can be AWS predefined (example EC2 Autoscaling, CloudFormation etc). Note it is usually not possible to delete AWS managed Service-linked policy even by the root account

Role Creation

Note, for role creation, first ensure that AWS Policy is created as shown on below link:

The sample role can then be attached to an IAM role in EC2 as shown below during EC2 instance launch configuration:

PassRole

There is something called IAM:PassRole, which allows users to delegate permissions in form of Roles to AWS Services so that they can access other resources or AWS Service. Note that usually the IAM Admin create these roles and allow users to delegate the role to AWS services. Visually, it can be demonstrated as follows:

// Generated by ChatGPT

[ User/Service ] --( PassRole )--> [ IAM Role (EC2ReadS3Role) ]
        |                                           |
        |                                           v
        |                                  [ EC2 Instance ]
        |                                           |
        |------------------------------------------> [ S3 Bucket ]

Delegation - For Cross Account Access

Just like in MSFT's Active Directory, there is concept of delegation in AWS, i.e., permissions can be given to resources a user controls. As said earlier, the resource holding account is trusting account and users of the account who will access are trusted accounts and therefore trust policy is gonna be required. So, in short, cross account Role is used for delegation

Effective Use case

IAM services can interact with each other using IAM Role example: AWS Serverless LAMP stack

Revoking a session

Sometimes due to unforseen circumstances, an IAM Role assumed session has to be revoked. AWS does that by attaching explicit deny to that session, so that when any action is evaluated, it would be denied