DevOpsLesson
DevOpsLesson

Free, comprehensive DevOps tutorials and learning roadmaps. Master Docker, Kubernetes, CI/CD, and more.

Stay Updated

Get notified about new tutorials and features.

Tutorials

  • What is DevOps?
  • Docker Tutorial
  • Terraform Tutorial
  • CI/CD Pipeline
  • All Tutorials

Roadmaps

  • DevOps Engineer
  • Cloud Engineer
  • SRE Path
  • All Roadmaps

Company

  • About Us
  • Blog
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 DevOpsLesson. All rights reserved.

DOCKERKUBERNETESTERRAFORMAWSCI/CDLINUXGITDEVOPS ROADMAPCLOUD ROADMAPSRE ROADMAPGIT CHEATSHEETDOCKER CHEATSHEETK8S CHEATSHEETTF CHEATSHEETLINUX CHEATSHEETDOCKERFILE LINTERYAML VALIDATORCRON PARSERREGEX TESTER

Aws Tutorial

Introduction to AWS
AWS Global Infrastructure
Setting Up AWS
AWS IAM
AWS EC2
AWS VPC
AWS S3
AWS RDS
AWS Lambda
AWS ECS and EKS
AWS CloudWatch
AWS CodePipeline
AWS Cost Optimization
AWS Elastic Load Balancing
AWS Auto Scaling
AWS CloudFront
AWS Route 53
AWS DynamoDB
AWS ElastiCache
AWS SQS
AWS SNS
AWS EventBridge
AWS Step Functions
AWS API Gateway
AWS ECR
AWS EKS
AWS CloudFormation
AWS Elastic Beanstalk
AWS KMS
AWS Secrets Manager
AWS WAF and Shield
AWS CloudTrail
AWS Config
AWS Systems Manager
AWS Organizations
AWS EFS
AWS EBS Deep Dive
AWS Kinesis
AWS Athena
AWS CodeDeploy
AWS CodeCommit
AWS CDK
AWS SAM

AWS IAM Roles and Policies

PreviousPrev
Next

Learn when to use IAM roles, how policy JSON works, and why managed policies are usually better than many inline exceptions.

Roles and policies are where IAM becomes truly powerful. A role is an identity that is assumed rather than permanently owned. That makes roles ideal for EC2 instance profiles, Lambda execution identities, CI/CD systems, and cross-account access. Instead of storing long-lived credentials on every workload, AWS issues temporary credentials when the role is assumed.

Policies are JSON documents that describe permissions. The structure is consistent: Version defines the policy language version, Statement contains one or more rules, Effect is usually Allow or Deny, Action lists API operations, and Resource identifies what the action can target. Conditions can narrow access further based on context such as source IP, tags, or MFA presence.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject"],
      "Resource": "arn:aws:s3:::example-artifacts/*"
    }
  ]
}
PatternBest use
Managed policyReusable permission set shared across identities
Inline policyOne-off permission tightly attached to a single identity
RoleTemporary credentials for users, services, or accounts

Managed policies are usually easier to maintain because you can reuse and update them in one place. Inline policies can be helpful for narrow exceptions, but too many inline fragments make permission reviews messy. For most environments, standard roles plus managed policies create a cleaner access model.

Roles are especially important in automation. An EC2 instance profile lets applications access S3 or Secrets Manager without storing access keys on disk. A Lambda execution role tells the function what it can log or read. A cross-account role allows a security team in one account to audit another without sharing passwords or keys.

Pair this lesson with AWS IAM Best Practices so role design stays secure as your environment grows.

aws iam list-policies --scope Local --output table
aws iam get-role --role-name my-application-role
aws iam create-role --role-name demo-role --assume-role-policy-document file://trust-policy.json

Operational note

Permission work improves when it is reviewed as part of normal delivery rather than treated as a one-time security task. When a new team, service, or pipeline is introduced, decide which identity it should use, what the smallest permission set looks like, and how you will audit changes later through CloudTrail and IAM reports. Shared standards like this make future environments easier to launch, review, and support.

Exercise

Roles

Which IAM option is best for giving an EC2 instance temporary AWS credentials?

Exercise

Policy structure

Which JSON field in an IAM policy lists the API operations being allowed or denied?

PreviousPrev
Next

Continue Learning

AWS CLI Setup

Install and configure AWS CLI v2 on macOS, Linux, or Windows, then verify credentials and use profiles for multiple AWS accounts.

12 min·Easy

AWS IAM

Understand AWS Identity and Access Management, including users, groups, roles, policies, and least-privilege design for secure cloud operations.

20 min·Intermediate

AWS IAM Users and Groups

Create IAM users, organize them into groups, and decide when console access or programmatic access is appropriate.

12 min·Easy

Explore Related Topics

Te

Terraform Tutorials

Manage AWS infrastructure as code

Li

Linux Tutorials

Essential Linux skills for working with EC2

On This Page

Operational note