Do IAM roles by default have access to resources , for which root account has access?

Question

I am new to AWS and trying to understand IAM. I have a doubt which goes like this. for example there is a s3 bucket in account A and in it's resource policy another AWS account B (root user) is given permission for a certain set of actions. Now there are certain roles which are also present in account B. so if someone assumes those roles, will they also have access to that s3 bucket in account A or the Arn of that role needs to be explicitly mentioned in the resource policy of bucket even though it's root account already has access to it ?

Answer 1

When you want to provide access cross-accounts, that is - access to a resource in one account to a principal (in this example, a role) from another account - granting the access on the resource policy is not enough - and you also have to give access to that principal in a IAM policy in its account. When you place the root user of an account in a resource based policy - that indicates that access may be granted to any principal within that account (using a IAM policy on that account)

So, to answer your question - if the root user of account B is a principal to which access is granted in the bucket policy - you don’t have to indicate the ARN of any specific role - However, you do need to assign access to the role in a IAM policy in account B so assuming it would grant access to the bucket (I’m assuming there’s no mechanism denying the access of course)

Answer 2

When a user assumes a role, the user temporarily gives up his or her original permissions in exchange for those granted by the role. So to answer your question, in order for the bucket to be accessible to the role assumed by the root account (or any principle really), the ARN of the role needs to be explicitly mentioned in the bucket policy.