Mastering IAM Roles and Cross-Account Access in AWS

Introduction

On the second day of our AWS IAM deep dive, we focused on IAM roles and corss-account access. Unlike IAM users, IAM roles provide a way to grant permissions without using long-term credentials. this is particularly useful for granting AWS services access to other resources or enabling secure cross-account access

Understanding IAM Roles

What Are IAM Roles?

IAM roles are identities within AWS that allow temporary access to resources. They do not have credentials like users but instead rely on temporary security tokens. Roles are useful when AWS services, applications, or users form another AWS account need specific permissions without requiring permanent access.

Trust Policies vs. Permissions Policies

• Trust Policy: Define who can assume the role. This could be an AWS service, another AWS account, or a specific IAM user.
• Permissions Policy: Defines what actions that can perform on which AWS resources.

Playing around with the roles

Creating an IAM Role for EC2 to Access S3

A common use case for IAM roles is granting an EC2 instance access to an S3 bucket without storing credentials.

Steps:

1. Create a Role in the Target AWS Account
   • Go to IAM > Roles > Create Role.
   • Select Another AWS Account and enter the trusted account ID.
   • Attach required permissions, such as ReadOnlyAccess.
2. Allow Users in the Source Account to Assume the Role
   • In the Trust Policy, allow specific IAM users or groups to assume the role.
   • Use the sts:AssumeRole action in the source account to switch roles.
3. Assume the Role Using AWS CLI
   • Run:

aws sts assume-role --role-arn "arn:aws:iam::ACCOUNT-ID-WITH-ROLE:role/RoleName" --role-session-name SessionName

1. This returns temporary credentials, allowing access to the target account.

Validation and Testing

1. Log in with the IAM role or user and attempt different actions.
2. Verify permissions by checking whether read or write operations are allowed.
3. Attempt accessing resources across accounts to ensure cross-account access is correctly set up.

Key Takeaways

• IAM roles eliminate the need for storing permanent credentials.
• Trust policies define who can assume a role, while permission policies define what actions the role can perform.
• Cross-account access enables secure collaboration between AWS accounts.
• The AWS Security Token Service (STS) provides temporary credentials when assuming a role.

Challenges Faced

• Access Denied Errors: Incorrectly configured trust or permission policies caused permission issues.
• Role Propagation Delays: Sometimes, new roles take a few minutes before becoming effective.
• Cross-Account Misconfigurations: Failing to allow users to assume roles led to authentication failures.

Conclusion

IAM roles are essential for granting secure, temporary permissions to AWS services, applications, and external users. Understanding trust policies, permission policies, and cross-account access allows better security and flexibility in AWS environments. Implementing these best practices ensures a well-architected and secure IAM setup.