{"id":1839,"date":"2025-01-21T09:37:07","date_gmt":"2025-01-21T01:37:07","guid":{"rendered":"https:\/\/www.fanyamin.com\/wordpress\/?p=1839"},"modified":"2025-01-21T09:37:07","modified_gmt":"2025-01-21T01:37:07","slug":"whats-the-difference-between-aws-role-permission-policies-and-trust-entities","status":"publish","type":"post","link":"https:\/\/www.fanyamin.com\/wordpress\/?p=1839","title":{"rendered":"what&#8217;s the difference between AWS role permission policies and trust entities?"},"content":{"rendered":"<p>In AWS Identity and Access Management (IAM), <strong>role permission policies<\/strong> and <strong>trust entities<\/strong> serve distinct but complementary purposes:<\/p>\n<hr \/>\n<h3>1. <strong>Permission Policies<\/strong><\/h3>\n<ul>\n<li><strong>Definition<\/strong>: Permission policies define <strong>what actions<\/strong> an IAM role can perform on specific AWS resources.<\/li>\n<li><strong>Scope<\/strong>: These policies are attached to the role itself and specify the permissions granted to anyone or anything assuming the role.<\/li>\n<li><strong>Purpose<\/strong>: Controls <strong>what the role is allowed to do<\/strong>.<\/li>\n<li><strong>Attached to<\/strong>: The IAM role.<\/li>\n<li><strong>Examples<\/strong>:\n<ul>\n<li>Allowing access to an S3 bucket:\n<pre><code class=\"language-json\">{\n\"Version\": \"2012-10-17\",\n\"Statement\": [\n{\n  \"Effect\": \"Allow\",\n  \"Action\": \"s3:*\",\n  \"Resource\": \"arn:aws:s3:::example-bucket\/*\"\n}\n]\n}<\/code><\/pre>\n<\/li>\n<li>Allowing access to DynamoDB tables or Lambda functions.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h3>2. <strong>Trust Entities (Trust Policies)<\/strong><\/h3>\n<ul>\n<li><strong>Definition<\/strong>: Trust entities define <strong>who or what can assume the role<\/strong>. This is configured in the <strong>trust policy<\/strong> of the role.<\/li>\n<li><strong>Scope<\/strong>: These policies specify the <strong>principal(s)<\/strong> (users, services, or accounts) allowed to assume the role.<\/li>\n<li><strong>Purpose<\/strong>: Controls <strong>who is allowed to assume the role<\/strong>.<\/li>\n<li><strong>Attached to<\/strong>: The trust policy of the IAM role.<\/li>\n<li><strong>Examples<\/strong>:\n<ul>\n<li>Allowing EC2 instances to assume a role:\n<pre><code class=\"language-json\">{\n\"Version\": \"2012-10-17\",\n\"Statement\": [\n{\n  \"Effect\": \"Allow\",\n  \"Principal\": {\n    \"Service\": \"ec2.amazonaws.com\"\n  },\n  \"Action\": \"sts:AssumeRole\"\n}\n]\n}<\/code><\/pre>\n<\/li>\n<li>Allowing a specific AWS account or user to assume the role:\n<pre><code class=\"language-json\">{\n\"Version\": \"2012-10-17\",\n\"Statement\": [\n{\n  \"Effect\": \"Allow\",\n  \"Principal\": {\n    \"AWS\": \"arn:aws:iam::123456789012:root\"\n  },\n  \"Action\": \"sts:AssumeRole\"\n}\n]\n}<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h3>Key Differences:<\/h3>\n<table>\n<thead>\n<tr>\n<th><strong>Aspect<\/strong><\/th>\n<th><strong>Permission Policies<\/strong><\/th>\n<th><strong>Trust Entities (Trust Policies)<\/strong><\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Purpose<\/strong><\/td>\n<td>Defines <strong>what actions<\/strong> the role can perform on resources.<\/td>\n<td>Defines <strong>who\/what can assume the role<\/strong>.<\/td>\n<\/tr>\n<tr>\n<td><strong>Focus<\/strong><\/td>\n<td>Resource access and actions (e.g., S3, EC2).<\/td>\n<td>Role assumption (e.g., services, accounts).<\/td>\n<\/tr>\n<tr>\n<td><strong>Attached To<\/strong><\/td>\n<td>The IAM role itself.<\/td>\n<td>The trust policy of the role.<\/td>\n<\/tr>\n<tr>\n<td><strong>Defines<\/strong><\/td>\n<td>The <strong>scope of actions<\/strong> allowed.<\/td>\n<td>The <strong>scope of principals<\/strong> allowed.<\/td>\n<\/tr>\n<tr>\n<td><strong>Example Entity<\/strong><\/td>\n<td><code>s3:ListBucket<\/code> or <code>ec2:DescribeInstances<\/code>.<\/td>\n<td><code>ec2.amazonaws.com<\/code> or another AWS account.<\/td>\n<\/tr>\n<tr>\n<td><strong>Action in Policy<\/strong><\/td>\n<td>Specifies resource-based actions.<\/td>\n<td>Uses <code>sts:AssumeRole<\/code> for granting trust.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h3>Example Role Configuration:<\/h3>\n<p>Suppose you have a role that allows an EC2 instance to access an S3 bucket. This role would require:<\/p>\n<ol>\n<li>\n<p><strong>Permission Policy<\/strong>: Grants permissions for S3 actions.<\/p>\n<pre><code class=\"language-json\">{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n   {\n     \"Effect\": \"Allow\",\n     \"Action\": \"s3:ListBucket\",\n     \"Resource\": \"arn:aws:s3:::example-bucket\"\n   }\n ]\n}<\/code><\/pre>\n<\/li>\n<li>\n<p><strong>Trust Policy<\/strong>: Allows EC2 instances to assume the role.<\/p>\n<pre><code class=\"language-json\">{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n   {\n     \"Effect\": \"Allow\",\n     \"Principal\": {\n       \"Service\": \"ec2.amazonaws.com\"\n     },\n     \"Action\": \"sts:AssumeRole\"\n   }\n ]\n}<\/code><\/pre>\n<\/li>\n<\/ol>\n<hr \/>\n<h3>Summary:<\/h3>\n<ul>\n<li><strong>Permission Policies<\/strong> determine <strong>what actions<\/strong> the role can perform on AWS resources.<\/li>\n<li><strong>Trust Entities<\/strong> (defined in the trust policy) determine <strong>who or what is allowed to assume the role<\/strong>.<\/li>\n<\/ul>\n<p>Both are necessary for a role to function properly in AWS.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In AWS Identity and Access Management (IAM), role permission policies and trust entities serve distinct but complementary purposes: 1. Permission Policies Definition: Permission policies define what actions an IAM role can perform on specific AWS resources. Scope: These policies are attached to the role itself and specify the permissions granted to anyone or anything assuming [&hellip;] <a class=\"read-more\" href=\"https:\/\/www.fanyamin.com\/wordpress\/?p=1839\" title=\"Permanent Link to: what&#8217;s the difference between AWS role permission policies and trust entities?\">&rarr;Read&nbsp;more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1839","post","type-post","status-publish","format-standard","hentry","category-5"],"_links":{"self":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1839"}],"collection":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1839"}],"version-history":[{"count":1,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1839\/revisions"}],"predecessor-version":[{"id":1840,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1839\/revisions\/1840"}],"wp:attachment":[{"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fanyamin.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}