← Lessons

quiz vs the machine

Silver1040

Security

The IAM Roles and Policies

How identity and access management grants permissions through roles, policies, and temporary credentials.

4 min read · intro · beat Silver to climb

What IAM Controls

Identity and Access Management decides who can do what to which cloud resource. Every request is checked against the permissions attached to the calling identity before it is allowed.

Policies Describe Permissions

A policy is a document that lists allowed or denied actions on specific resources. It answers three questions:

  • Who the principal is, such as a user or service.
  • What actions are permitted, such as read or write.
  • Which resources those actions apply to.

By default everything is denied. A policy must explicitly grant an action, and an explicit deny always wins over an allow.

Roles Avoid Long Lived Keys

A role is an identity that anyone trusted can assume to receive temporary credentials. Instead of embedding a permanent secret key in an application, a server or function assumes a role and gets short lived tokens that expire automatically.

  • Roles reduce the damage from leaked keys because tokens expire.
  • A trust policy controls who is allowed to assume the role.

Key idea

IAM enforces access by attaching policies that grant explicit actions on resources, and roles deliver temporary credentials so applications avoid storing permanent keys.

Check yourself

Answer to earn rating on the learn ladder.

1. What is the default decision when no policy grants an action?

2. What is the main benefit of assuming a role instead of using a permanent key?

3. When an explicit deny and an explicit allow both match, what happens?