Bird
Raised Fist0
AWScloud~5 mins

IAM roles concept in AWS - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is an IAM role in AWS?
An IAM role is like a set of permissions that you can give to AWS services or users to let them do specific tasks without sharing your personal credentials.
Click to reveal answer
beginner
How is an IAM role different from an IAM user?
An IAM user is a person or service with long-term credentials, while an IAM role is a temporary set of permissions that can be assumed by users or services when needed.
Click to reveal answer
beginner
What does it mean to 'assume' an IAM role?
To 'assume' a role means to temporarily take on the permissions defined by that role to perform tasks, like borrowing a key to access a room for a short time.
Click to reveal answer
intermediate
Why use IAM roles instead of sharing access keys?
IAM roles improve security by avoiding sharing permanent keys. They provide temporary permissions that expire, reducing risk if credentials are exposed.
Click to reveal answer
beginner
Give an example of when you would use an IAM role.
You use an IAM role when an EC2 instance needs to access S3 storage. Instead of storing keys on the instance, the EC2 assumes a role with permission to read S3.
Click to reveal answer
What is the main purpose of an IAM role in AWS?
ATo monitor AWS usage
BTo create permanent user accounts
CTo grant temporary permissions to users or services
DTo store data securely
Which of the following can assume an IAM role?
AOnly root account
BOnly AWS services
COnly IAM users
DBoth IAM users and AWS services
What happens when you assume an IAM role?
AYou get permanent access keys
BYou receive temporary security credentials
CYour user account is deleted
DYou create a new IAM user
Why is using IAM roles considered more secure than sharing access keys?
ARoles provide temporary credentials that reduce risk
BRoles allow unlimited access
CRoles never expire
DRoles are easier to remember
Which AWS service commonly uses IAM roles to access other services securely?
AAmazon EC2
BAmazon S3
CAWS Lambda
DAmazon RDS
Explain what an IAM role is and how it helps improve security in AWS.
Think about borrowing permissions instead of sharing keys.
You got /4 concepts.
    Describe a real-life scenario where you would use an IAM role in AWS.
    Consider how an EC2 server accesses S3 without storing keys.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of an IAM role in AWS?
      easy
      A. To monitor network traffic
      B. To store user passwords securely
      C. To create virtual machines
      D. To grant permissions to entities without sharing long-term credentials

      Solution

      1. Step 1: Understand IAM role purpose

        An IAM role allows AWS entities to assume permissions temporarily without needing permanent credentials like passwords.

      2. Step 2: Compare options

        Only To grant permissions to entities without sharing long-term credentials correctly describes this purpose. Options B, C, and D describe unrelated AWS features.

      3. Final Answer:

        To grant permissions to entities without sharing long-term credentials -> Option D

      4. Quick Check:

        IAM roles = temporary permissions without passwords [OK]
      Hint: Roles give permissions without passwords or keys [OK]
      Common Mistakes:
      • Confusing roles with user accounts
      • Thinking roles store passwords
      • Mixing roles with AWS services like EC2
      2. Which of the following is the correct way to specify a trust policy for an IAM role?
      easy
      A. { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "iam:PassRole" }] }
      B. { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }] }
      C. { "Statement": [{ "Effect": "Allow", "Principal": { "User": "admin" }, "Action": "iam:CreateUser" }] }
      D. { "Statement": [{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole" }] }

      Solution

      1. Step 1: Identify trust policy structure

        A trust policy allows a trusted entity (like EC2) to assume the role using sts:AssumeRole action.

      2. Step 2: Check each option

        { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }] } correctly allows EC2 service to assume the role. { "Statement": [{ "Effect": "Deny", "Principal": { "AWS": "*" }, "Action": "sts:AssumeRole" }] } denies all, which is invalid for trust. { "Statement": [{ "Effect": "Allow", "Principal": { "User": "admin" }, "Action": "iam:CreateUser" }] } uses wrong action and principal. { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "iam:PassRole" }] } uses wrong action (iam:PassRole) for trust.

      3. Final Answer:

        { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }] } -> Option B

      4. Quick Check:

        Trust policy must allow sts:AssumeRole to a service [OK]
      Hint: Trust policy uses sts:AssumeRole with service principal [OK]
      Common Mistakes:
      • Using iam:PassRole instead of sts:AssumeRole
      • Denying all principals in trust policy
      • Specifying user instead of service in Principal
      3. Given this IAM role trust policy snippet:
      { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }] }

      Which AWS service can assume this role?
      medium
      A. AWS Lambda functions
      B. Amazon EC2 instances
      C. Amazon S3 buckets
      D. AWS IAM users

      Solution

      1. Step 1: Read the Principal service

        The Principal is "lambda.amazonaws.com", which means AWS Lambda service is trusted.

      2. Step 2: Match service to options

        AWS Lambda functions matches AWS Lambda functions. EC2, S3, and IAM users are different entities and not trusted here.

      3. Final Answer:

        AWS Lambda functions -> Option A

      4. Quick Check:

        Principal service = lambda.amazonaws.com means Lambda [OK]
      Hint: Principal service name shows who can assume role [OK]
      Common Mistakes:
      • Confusing service names like ec2.amazonaws.com vs lambda.amazonaws.com
      • Thinking S3 buckets can assume roles
      • Assuming IAM users are trusted by default
      4. You created an IAM role with this trust policy:
      { "Statement": [{ "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "iam:PassRole" }] }

      Why can't EC2 instances assume this role?
      medium
      A. Because the Effect should be Deny
      B. Because the Principal service is incorrect
      C. Because the action should be sts:AssumeRole, not iam:PassRole
      D. Because EC2 instances cannot assume roles

      Solution

      1. Step 1: Identify the required action in trust policy

        The trust policy must allow the action sts:AssumeRole for the trusted entity to assume the role.

      2. Step 2: Analyze the given policy

        The policy uses iam:PassRole, which is incorrect for trust. This prevents EC2 from assuming the role.

      3. Final Answer:

        Because the action should be sts:AssumeRole, not iam:PassRole -> Option C

      4. Quick Check:

        Trust policy action must be sts:AssumeRole [OK]
      Hint: Trust policy action must be sts:AssumeRole [OK]
      Common Mistakes:
      • Using iam:PassRole instead of sts:AssumeRole
      • Changing Effect to Deny by mistake
      • Believing EC2 cannot assume roles
      5. You want to allow an AWS Lambda function to assume an IAM role that grants access to S3 buckets. Which two policies must you configure correctly to make this work?
      hard
      A. A trust policy allowing lambda.amazonaws.com to assume the role and an IAM permissions policy granting S3 access
      B. A trust policy allowing s3.amazonaws.com to assume the role and an IAM permissions policy granting Lambda execution
      C. An IAM user policy granting Lambda permissions and a trust policy allowing EC2 to assume the role
      D. A permissions policy granting S3 access and a trust policy denying all principals

      Solution

      1. Step 1: Identify trust policy requirements

        The trust policy must allow the Lambda service (lambda.amazonaws.com) to assume the role.

      2. Step 2: Identify permissions policy requirements

        The role's permissions policy must grant access to S3 buckets for the Lambda function.

      3. Step 3: Evaluate options

        A trust policy allowing lambda.amazonaws.com to assume the role and an IAM permissions policy granting S3 access correctly pairs the trust policy for Lambda and permissions for S3. Other options have incorrect principals or deny access.

      4. Final Answer:

        A trust policy allowing lambda.amazonaws.com to assume the role and an IAM permissions policy granting S3 access -> Option A

      5. Quick Check:

        Trust policy + permissions policy = role works [OK]
      Hint: Trust policy for who assumes; permissions policy for what they can do [OK]
      Common Mistakes:
      • Allowing wrong service in trust policy
      • Confusing permissions policy with trust policy
      • Denying all principals in trust policy