AWS Identity and Access Management (IAM) | IAM Role Management

Question 1

Can I set usage quotas on IAM users?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 1

No. All limits are on the AWS account as a whole. For example, if your AWS account has a limit of 20 Amazon EC2 instances, IAM users with EC2 permissions can start instances up to the limit. You cannot limit what an individual user can do.

Question 2

What is an IAM role?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 2

An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.

Question 3

What problems do IAM roles solve?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 3

IAM roles allow you to delegate access with defined permissions to trusted entities without having to share long-term access keys. You can use IAM roles to delegate access to IAM users managed within your account, to IAM users under a different AWS account, or to an AWS service such as EC2.

Question 4

How do I get started with IAM roles?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 4

You create a role in a way similar to how you create a user—name the role and attach a policy to it. For details, see Creating IAM Roles.

Question 5

How do I assume an IAM role?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 5

You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words, AssumeRole, AssumeRoleWithWebIdentity, and AssumeRoleWithSAML). These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.

Question 6

How many IAM roles can I assume?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 6

There is no limit to the number of IAM roles you can assume, but you can only act as one IAM role when making requests to AWS services.

Question 7

Who can use IAM roles?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 7

Any AWS customer can use IAM roles.

Question 8

How much do IAM roles cost?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 8

IAM roles are free of charge. You will continue to pay for any resources a role in your AWS account consumes.

Question 9

How are IAM roles managed?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 9

You can create and manage IAM roles via the IAM APIs, AWS CLI, or IAM console, which gives you a point-and-click, web-based interface.

Question 10

What is the difference between an IAM role and an IAM user?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 10

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM role does not have any credentials and cannot make direct requests to AWS services. IAM roles are meant to be assumed by authorized entities, such as IAM users, applications, or an AWS service such as EC2.

Question 11

When should I use an IAM user, IAM group, or IAM role?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 11

An IAM user has permanent long-term credentials and is used to directly interact with AWS services. An IAM group is primarily a management convenience to manage the same set of permissions for a set of IAM users. An IAM role is an AWS Identity and Access Management (IAM) entity with permissions to make AWS service requests. IAM roles cannot make direct requests to AWS services; they are meant to be assumed by authorized entities, such as IAM users, applications, or AWS services such as EC2. Use IAM roles to delegate access within or between AWS accounts.

Question 12

Can I add an IAM role to an IAM group?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 12

Not at this time.

Question 13

How many policies can I attach to an IAM role?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 13

For inline policies: You can add as many inline policies as you want to a user, role, or group, but the total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the following limits:

User policy size cannot exceed 2,048 characters.

Role policy size cannot exceed 10,240 characters.

Group policy size cannot exceed 5,120 characters.

For managed policies: You can add up to 10 managed policies to a user, role, or group. The size of each managed policy cannot exceed 6,144 characters.

Question 14

How many IAM roles can I create?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 14

You are limited to 1,000 IAM roles under your AWS account. If you need more roles, submit the IAM limit increase request form with your use case, and we will consider your request.

Question 15

To which services can my application make requests?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 15

Your application can make requests to all AWS services that support role sessions.

Question 16

What is IAM roles for EC2 instances?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 16

IAM roles for EC2 instances enables your applications running on EC2 to make requests to AWS services such as Amazon S3, Amazon SQS, and Amazon SNS without you having to copy AWS access keys to every instance. For details, see IAM Roles for Amazon EC2.

Question 17

What are the features of IAM roles for EC2 instances?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 17

IAM roles for EC2 instances provides the following features:

AWS temporary security credentials to use when making requests from running EC2 instances to AWS services.

Automatic rotation of the AWS temporary security credentials.

Granular AWS service permissions for applications running on EC2 instances.

Question 18

What problem does IAM roles for EC2 instances solve?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 18

IAM roles for EC2 instances simplifies management and deployment of AWS access keys to EC2 instances. Using this feature, you associate an IAM role with an instance. Then your EC2 instance provides the temporary security credentials to applications running on the instance, and the applications can use these credentials to make requests securely to the AWS service resources defined in the role.

Question 19

How do I get started with IAM roles for EC2 instances?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 19

To understand how roles work with EC2 instances, you need to use the IAM console to create a role, launch an EC2 instance that uses that role, and then examine the running instance. You can examine the instance metadata to see how the role credentials are made available to an instance. You can also see how an application that runs on an instance can use the role. For more details, see How Do I Get Started?

Question 20

Can I use the same IAM role on multiple EC2 instances?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 20

Yes.

Question 21

Can I change the IAM role on a running EC2 instance?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 21

Yes. Although a role is usually assigned to an EC2 instance when you launch it, a role can also be assigned to an EC2 instance that is already running. To learn how to assign a role to a running instance, see IAM Roles for Amazon EC2. You can also change the permissions on the IAM role associated with a running instance, and the updated permissions take effect almost immediately.

Question 22

Can I associate an IAM role with an already running EC2 instance?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 22

Yes. You can assign a role to an EC2 instance that is already running. To learn how to assign a role to an already running instance, see IAM Roles for Amazon EC2.

Question 23

Can I associate an IAM role with an Auto Scaling group?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 23

Yes. You can add an IAM role as an additional parameter in an Auto Scaling launch configuration and create an Auto Scaling group with that launch configuration. All EC2 instances launched in an Auto Scaling group that is associated with an IAM role are launched with the role as an input parameter. For more details, see What Is Auto Scaling? in the Auto Scaling Developer Guide.

Question 24

Can I associate more than one IAM role with an EC2 instance?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 24

No. You can only associate one IAM role with an EC2 instance at this time. This limit of one role per instance cannot be increased.

Question 25

What happens if I delete an IAM role that is associated with a running EC2 instance?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 25

Any application running on the instance that is using the role will be denied access immediately.

Question 26

Can I control which IAM roles an IAM user can associate with an EC2 instance?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 26

Yes. For details, see Permissions Required for Using Roles with Amazon EC2.

Question 27

Which permissions are required to launch EC2 instances with an IAM role?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 27

You must grant an IAM user two distinct permissions to successfully launch EC2 instances with roles:

Permission to launch EC2 instances.

Permission to associate an IAM role with EC2 instances.

For details, see Permissions Required for Using Roles with Amazon EC2.

Question 28

Who can access the access keys on an EC2 instance?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 28

Any local user on the instance can access the access keys associated with the IAM role.

Question 29

How do I use the IAM role with my application on the EC2 instance?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 29

If you develop your application with the AWS SDK, the AWS SDK automatically uses the AWS access keys that have been made available on the EC2 instance. If you are not using the AWS SDK, you can retrieve the access keys from the EC2 instance metadata service. For details, see Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances.

Question 30

How do I rotate the temporary security credentials on the EC2 instance?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 30

The AWS temporary security credentials associated with an IAM role are automatically rotated multiple times a day. New temporary security credentials are made available no later than five minutes before the existing temporary security credentials expire.

Question 31

Can I use IAM roles for EC2 instances with any instance type or Amazon Machine Image?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 31

Yes. IAM roles for EC2 instances also work in Amazon Virtual Private Cloud (VPC), with spot and reserved instances.

Question 32

What is a service-linked role?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 32

A service-linked role is a type of role that links to an AWS service (also known as a linked service) such that only the linked service can assume the role. Using these roles, you can delegate permissions to AWS services to create and manage AWS resources on your behalf.

Question 33

Can I assume a service-linked role?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 33

No. A service-linked role can be assumed only by the linked service. This is the reason why the trust policy of a service-linked role cannot be modified.

Question 34

Can I delete a service-linked role?

IAM Role Management

AWS Identity and Access Management (IAM) | Security, Identity & Compliance

Answer 34

Yes. If you no longer want an AWS service to perform actions on your behalf, you can delete its service-linked role. Before you delete the role, you must delete all AWS resources that depend on the role. This step ensures that you do not inadvertently delete a role required for your AWS resources to function properly.