-1

I am trying to properly understand what is meant by IAM role. The more I read, I am getting more confused. I have also seen this link: https://stackoverflow.com/questions/51201214/use-of-security-groups-vs-role/51203267#:~:text=Security%20groups%20are%20more%20about,firewall%20that%20controls%20the%20traffic.&text=IAM%20Roles%20are%20more%20used,actions%20and%20resources%20in%20AWS.

From what I understood:

  1. Is IAM role only applicable to the resource which initiates the communication? The target of the communication can restrict using NACL, Security Groups, Subnets etc. But that is not the case I think - S3 bucket also you can attach IAM policy. So I am confused when to consider IAM role and when not.
  2. What if, some external resource (not within AWS), wants to access a service within AWS (maybe a web application)? Suppose it is a public web application (no authentication). If so, will we have to consider IAM role? I know there are several ways to deploy the web application - using AWS Amplify or S3 bucket or write your own application etc.
SRaj
  • 1,168
  • 1
  • 14
  • 36

1 Answers1

2

Please read and work through https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html, IAM is a difficult topic and it takes a lot of practice and reading and working with it to fully understand it.

  1. NACL, Security groups, subnets operate on a different level, have nothing to do with IAM, as the linked answer suggest. S3 can have a bucket policy that is "combined" with the policies your role has to compute wether an operation is allowed or not

  2. If you publicly host the endpoint you can disable IAM, e.g. in an ApiGateway or CloudFront => S3. Internally the permission between the ApiGateway and the underlying lambda or CloudFront interacting with S3 is once again handled via IAM but that is not visible to the outside user

luk2302
  • 55,258
  • 23
  • 97
  • 137