Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What does the default trust policy in an AWS IAM role mean?

Tags:

amazon-web-services

amazon-iam

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Can you please explain what ec2.amazonaws.com means here? In what way can I now assume the role?

like image 922
Raghvendra Singh Avatar asked Sep 06 '15 20:09

Raghvendra Singh

People also ask

What is trust policy in IAM role?

A role trust policy is a required resource-based policy that is attached to a role in IAM. The principals that you can specify in the trust policy include users, roles, accounts, and services. A permissions document in JSON format in which you define what actions and resources the role can use.

What is the default IAM permissions?

Permissions are granted to IAM entities (users, groups, and roles) and by default these entities start with no permissions. In other words, IAM entities can do nothing in AWS until you grant them your desired permissions.

What are the two policies for an IAM role?

There are two types of managed policies: AWS managed policies – Managed policies that are created and managed by AWS. Customer managed policies – Managed policies that you create and manage in your AWS account.

What are the type of trusted entities that can be used in AWS IAM roles?

Each role has a set of permissions for making AWS service requests, and a role is not associated with a specific user or group. Instead, trusted entities such as identity providers or AWS services assume roles. For more information, see IAM roles.

1 Answers

A Principal within an Amazon IAM policy specifies the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource:

You use the Principal element in the trust policies for IAM roles and in resource-based policies—that is, in policies that you embed directly in a resource. For example, you can embed such policies in an Amazon S3 bucket, an Amazon Glacier vault, an Amazon SNS topic, an Amazon SQS queue, or an AWS KMS encryption key.

For the policy at hand, the principal is the AWS service ec2.amazonaws.com, that is, this trust policy grants the Amazon EC2 service to assume any IAM role in your account (i.e., a "Resource": "*" statement is implied).

  • you could further constrain the policy to only cover one or more specific roles, which would need to be explicated via a Resource statement like "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/ROLE-NAME"
  • this is most commonly seen/used in the context of IAM Roles for Amazon EC2, where you are effectively Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2
like image 57
Steffen Opel Avatar answered Oct 06 '22 04:10

Steffen Opel
Sign in to Comment

Related questions

Postgres roles and users - permission denied for table
What is the best way to do CI/CD with AWS CDK (python) using GitLab CI?
How to debug in VS Code a local AWS Lambda function with API Gateway written in TypeScript?
How do you let only authorized user have access contents stored in Amazon's S3?
Should I learn/use MapReduce, or some other type of parallelization for this task?
How best to have many users control EC2 instances?
setting up mongodb via AWS opsworks
Django Elastic Beanstalk Deploy showing 404
Dynamodb ConditionalCheckFailedException on read / update operation - java sdk
AWS Elastic Beanstalk: What is the difference between environment and application?
S3 warning: "No content length specified for stream data"
Role issue using AWS ElasticSearch with S3
AWS Lambda connection timeout to Elasticache
Username cannot be of email format, since user pool is configured for email
How can I get spring security to work behind a load balancer across multiple domains?
Not able to SSH EKS Worker Nodes
CloudFormation cross-stack vs nested-stack
Alternative to AWS Lambda + NAT gateway
MongoDB hosting options now that Heroku mLab add-on is being removed
How to send HTML mails using Amazon SNS?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!