A policy can be attached to a user or group. This controls what the users are able to do in AWS.
Policy can be attached to an AWS service? What is the relation between policy and AWS service?
And where does the concept of Role fit in all this?
Asked
Active
Viewed 168 times
2 Answers
1
Think of role like a container holder for permissions which can be used to delegate access to users, applications, or services that don't normally have access to your AWS resources.
From docs
An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.
Jatin Mehrotra
- 9,286
- 4
- 28
- 67
-
So role is collection of policies, and it can be applied to user, group, and service? – variable Dec 07 '22 at 10:55
-
True, you understood the concept. – Jatin Mehrotra Dec 07 '22 at 11:00
-
You said `instead of being uniquely associated with one person` - does that mean role cannot be added to user? – variable Dec 07 '22 at 11:02
-
Role is never added to user, a user `assumes` the role. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html – Jatin Mehrotra Dec 07 '22 at 11:05
0
A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when an IAM principal (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied
