What does the default trust policy in an AWS IAM role mean?

Question

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Can you please explain what ec2.amazonaws.com means here? In what way can I now assume the role?

Answer 1

A Principal within an Amazon IAM policy specifies the user (IAM user, federated user, or assumed-role user), AWS account, AWS service, or other principal entity that is allowed or denied access to a resource:

You use the Principal element in the trust policies for IAM roles and in resource-based policies—that is, in policies that you embed directly in a resource. For example, you can embed such policies in an Amazon S3 bucket, an Amazon Glacier vault, an Amazon SNS topic, an Amazon SQS queue, or an AWS KMS encryption key.

For the policy at hand, the principal is the AWS service ec2.amazonaws.com, that is, this trust policy grants the Amazon EC2 service to assume any IAM role in your account (i.e., a "Resource": "*" statement is implied).

• you could further constrain the policy to only cover one or more specific roles, which would need to be explicated via a Resource statement like "Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/ROLE-NAME"
• this is most commonly seen/used in the context of IAM Roles for Amazon EC2, where you are effectively Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2