what’s the difference between AWS role permission policies and trust entities?

by walter

Table of Contents

In AWS Identity and Access Management (IAM), role permission policies and trust entities serve distinct but complementary purposes:

1. Permission Policies

  • Definition: Permission policies define what actions an IAM role can perform on specific AWS resources.
  • Scope: These policies are attached to the role itself and specify the permissions granted to anyone or anything assuming the role.
  • Purpose: Controls what the role is allowed to do.
  • Attached to: The IAM role.
  • Examples:
    • Allowing access to an S3 bucket: 
      {
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Action": "s3:*",
  "Resource": "arn:aws:s3:::example-bucket/*"
}
]
}
    • Allowing access to DynamoDB tables or Lambda functions.

2. Trust Entities (Trust Policies)

  • Definition: Trust entities define who or what can assume the role. This is configured in the trust policy of the role.
  • Scope: These policies specify the principal(s) (users, services, or accounts) allowed to assume the role.
  • Purpose: Controls who is allowed to assume the role.
  • Attached to: The trust policy of the IAM role.
  • Examples:
    • Allowing EC2 instances to assume a role: 
      {
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "Service": "ec2.amazonaws.com"
  },
  "Action": "sts:AssumeRole"
}
]
}
    • Allowing a specific AWS account or user to assume the role: 
      {
"Version": "2012-10-17",
"Statement": [
{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::123456789012:root"
  },
  "Action": "sts:AssumeRole"
}
]
}

Key Differences:

Aspect Permission Policies Trust Entities (Trust Policies)
Purpose Defines what actions the role can perform on resources. Defines who/what can assume the role.
Focus Resource access and actions (e.g., S3, EC2). Role assumption (e.g., services, accounts).
Attached To The IAM role itself. The trust policy of the role.
Defines The scope of actions allowed. The scope of principals allowed.
Example Entity s3:ListBucket or ec2:DescribeInstances. ec2.amazonaws.com or another AWS account.
Action in Policy Specifies resource-based actions. Uses sts:AssumeRole for granting trust.

Example Role Configuration:

Suppose you have a role that allows an EC2 instance to access an S3 bucket. This role would require:

  1. Permission Policy: Grants permissions for S3 actions.

    {
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Action": "s3:ListBucket",
     "Resource": "arn:aws:s3:::example-bucket"
   }
 ]
}

  2. Trust Policy: Allows EC2 instances to assume the role.

    {
 "Version": "2012-10-17",
 "Statement": [
   {
     "Effect": "Allow",
     "Principal": {
       "Service": "ec2.amazonaws.com"
     },
     "Action": "sts:AssumeRole"
   }
 ]
}

Summary:

  • Permission Policies determine what actions the role can perform on AWS resources.
  • Trust Entities (defined in the trust policy) determine who or what is allowed to assume the role.

Both are necessary for a role to function properly in AWS.

Comments |0|

Legend *) Required fields are marked
**) You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Category: 似水流年