Skip to content
IAM Day by Day

AWS IAM Roles & Policies Architecture

The Sovereign Logic of Authorization

Section titled “The Sovereign Logic of Authorization”

Roles and Policies are the “Sovereign Logic” of the AWS identity ecosystem. While Users provide persistence, Roles provide flexibility and security through the issuance of short-lived, temporary credentials. Policies are the immutable rulebooks—the JSON-based logic—that define exactly what an identity can and cannot do. In a modern “Assume Role” architecture, identity is decoupled from static keys, drastically reducing the risk of credential theft. For the IAM architect, Roles and Policies are the core tools for implementing Cross-Account Trust, Service-to-Service Authorization, and the highly granular control required for enterprisecloud governance.

ROLES & POLICIES

Authorization Sovereign
Core Mission
Dynamic Least Privilege. Establishing a cryptographically secure framework for granting temporary access across accounts and services through rigorous policy evaluation and verifiable trust relationships.
Like a Diplomatic Passport with a Permission Slip: A "Role" is like a Diplomatic Passport (Temporary Identity). It doesn't belong to a person; it sits in a vault. To use it, you must prove you are authorized to "Assume" that role. Once you have it, you also need a "Permission Slip" (The Policy) that lists exactly which offices you can enter and what files you can read. When the mission is over, the passport expires, and the permission slip is shredded.
Cross-Account Management / Serverless Security (Lambda) / EC2 Instance Profiles / Federation (OKTA/AD)

The Authorization Design Matrix

Section titled “The Authorization Design Matrix”

Effective AWS security requires choosing the right policy type and role configuration for the task.

Strategic Policy & Role Profiles

Section titled “Strategic Policy & Role Profiles”
ComponentStrategic ResponsibilityIAM Implementation
Trust Policy”Who can assume me?”JSON document defining the Trusted Entity (Account, Service, or SAML IdP).
Identity-Based Policy”What can I do?”JSON document attached to the Role defining allowed Actions/Resources.
Resource-Based Policy”Who can touch me?”Policy attached to a specific resource (S3, KMS) to define external access.
Service RoleNon-Human Identity.Assigned directly to AWS services (Lambda, EC2) to allow them to call other APIs.

The “Assume Role” Flow

Section titled “The “Assume Role” Flow”

AWS security relies on the Secure Token Service (STS) to exchange trust for temporary credentials.

graph LR
    Establish[Establish Trust] --> Assume[Assume Role]
    Assume --> Exchange[STS Token Exchange]
    Exchange --> Access[Authorized Access]
1

Establish the Trust Relationship

Define the **Trust Policy**. This is the most critical configuration. It defines exactly which principals (e.g., an AWS account ID or a specific SAML provider) are allowed to "Assume" the role. Without this cryptographically defined trust, the role is inaccessible.

2

Requesting the Persona (STS)

The authorized principal calls the **AWS STS `AssumeRole` API**. AWS verifies the Trust Policy. If satisfied, STS issues a set of **Temporary Security Credentials** (Access Key, Secret Key, and Session Token) with a strictly limited TTL (e.g., 1 hour).

3

Policy-Driven Execution

The requester uses the temporary token to call AWS APIs. AWS evaluates the **Identity-Based Policy** attached to the role. Because the token is short-lived, even if it is intercepted, the window of compromise is minimal compared to static long-term keys.

Technical Roles Implementation

Section titled “Technical Roles Implementation”

Designing policies with “Conditions” adds a critical layer of context-based security.

Role Trust & Action Policy (JSON Example)

Section titled “Role Trust & Action Policy (JSON Example)”
// The Trust Policy: Who can assume this role?
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": { "Service": "lambda.amazonaws.com" },
      "Action": "sts:AssumeRole"
    }
  ]
}


// The Identity Policy: What can this role do?
{
  "Effect": "Allow",
  "Action": "dynamodb:PutItem",
  "Resource": "arn:aws:dynamodb:*:*:table/SovereignData",
  "Condition": {
    "StringEquals": { "aws:PrincipalTag/Project": "Gamma" }
  }
}

Role & Policy Implementation Guides

Section titled “Role & Policy Implementation Guides”

Master the technical ceremonies of temporary credentials and cross-account trust.

Cross-Account Trust

Designing "Central Security Account" patterns to manage multi-account AWS Organizations.

Condition Keys

Using context-based tags (ABAC) to build dynamic, scalable authorization policies.

SSO Integration

Connecting Okta or Entra ID to AWS roles using SAML 2.0 and SCIM.

Resource Policies

Deep dive into S3 Bucket policies and KMS Key policies for defense-in-depth.

Next Steps

Section titled “Next Steps”