AWS IAM Roles: SAA-C03 Study Guide
In the AWS ecosystem, IAM Roles are the cornerstone of secure, credential-less access. Unlike IAM Users, roles do not have long-term passwords or access keys. Instead, they provide temporary security credentials via the AWS Security Token Service (STS).
Core Concepts & Configuration
To master roles for the SAA-C03, you must understand the two-part policy structure:
- Trust Policy (AssumeRolePolicyDocument): Defines who is allowed to assume the role (the “Principal”). This could be an AWS service (EC2), another AWS account, or a federated user.
- Permissions Policy: Defines what the holder of the role can do once they have assumed it (e.g., s3:ListBucket).
Comparison: IAM Users vs. IAM Roles
| Feature | IAM User | IAM Role |
|---|---|---|
| Credentials | Long-term (Password/Access Keys) | Temporary (STS Tokens) |
| Usage | Permanent identity for a person/app | Dynamic identity for services or cross-account |
| Best Practice | Avoid for EC2/Lambda | Preferred for all AWS resources |
| Entity | Unique to one person/system | Can be assumed by anyone authorized |
Architectural Patterns
1. Cross-Account Access
Used when Account A needs to access resources in Account B. Account B creates a role with a Trust Policy pointing to Account A’s ID. This eliminates the need for creating IAM users in every account.
2. Identity Federation
Allows users from external systems (Active Directory, Google, Okta) to access AWS.
- SAML 2.0: Used for Enterprise SSO (Active Directory).
- Web Identity Federation: Used for mobile apps (Login with Amazon/Google). Uses
AssumeRoleWithWebIdentity.
Decision Matrix / If–Then Guide
- If an EC2 instance needs to access S3… Then use an IAM Role attached to an Instance Profile.
- If a mobile app needs to upload to S3… Then use Cognito Identity Pools with an IAM Role.
- If you need to grant a 3rd party auditor access to your logs… Then use a Cross-Account Role with an External ID.
- If you have 5000 employees in Active Directory… Then use SAML 2.0 Federation with IAM Roles.
Exam Tips and Gotchas
- The “External ID”: Always use an External ID for 3rd party cross-account access to prevent the “Confused Deputy” problem.
- Instance Profiles: On the exam, “IAM Role” and “Instance Profile” are often used interchangeably for EC2, but technically the Profile is the container for the Role.
- No Hardcoding: Any exam question suggesting you store Access Keys in code or config files is almost always the wrong answer. Use Roles.
- Service-Linked Roles: These are predefined by AWS services (like Auto Scaling) and cannot be deleted until the service is cleaned up.
Topics covered:
Summary of key subtopics covered in this guide:
- Trust Policies vs. Permissions Policies
- Temporary Credentials via AWS STS
- Cross-Account Role Architecture
- Identity Federation (SAML & OIDC)
- EC2 Instance Profiles
- Security best practices (Least Privilege)
Visualizing IAM Role Logic
SEC Service Ecosystem
Roles integrate seamlessly with:
- CloudTrail: Logs all
AssumeRoleevents. - Config: Audits role permissions over time.
- KMS: Roles can be granted permission to decrypt keys.
OPS Performance & Scaling
Roles scale automatically. Unlike IAM Users with static keys that need rotation, STS handles the lifecycle of temporary credentials, reducing operational overhead and improving security posture during rapid scaling.
$$$ Cost Optimization
IAM is a Global Free Service. Using roles instead of complex key management systems (like 3rd party vaults) reduces architectural complexity and associated licensing costs.