103 — IAM Roles and Custom Policies

Intermediate

Write a custom IAM policy in JSON, create an EC2 service role with a trust policy, attach the policy to a user and the role, and simulate permissions — all from the CLI.

Learning Objectives

1
Explain the difference between IAM users, groups, and roles
2
Write a custom IAM permission policy document in JSON
3
Create a customer-managed policy with the CLI
4
Attach the custom policy to an IAM user
5
Write a trust policy and create an IAM role that EC2 can assume
6
Attach the custom policy to the role
7
Simulate a policy decision with aws iam simulate-principal-policy
8
Clean up all created resources in the correct dependency order
Step 1

Review roles vs users and prepare your IAM identity

Before writing policy documents, understand when to use a role instead of a user. Then re-create the devops-student user that was cleaned up at the end of Lesson 102.

Commands to Run

aws iam create-user --user-name devops-student

What This Does

An IAM user is a permanent identity with long-lived credentials (access keys).

An IAM role is a temporary identity that any trusted principal — an AWS service, another account, or a federated user — can assume.

Roles issue short-lived session tokens via AWS STS rather than permanent keys.

EC2 instances, Lambda functions, and other AWS services use roles (not users) to interact with the AWS API.

Because Lesson 102 cleaned up devops-student, run the create-user command above to recreate it for this lesson's exercises.

Expected Outcome

JSON output confirming the new user:
{
    "User": {
        "Path": "/",
        "UserName": "devops-student",
        "UserId": "AIDAIOSFODNN7EXAMPLE",
        "Arn": "arn:aws:iam::123456789012:user/devops-student",
        "CreateDate": "2024-01-15T10:00:00+00:00"
    }
}
Record the Arn — you will need it in step 8 for the policy simulation.

Pro Tips

  • 1
    IAM and STS operations are always free — there is no cost for any step in this lesson.
  • 2
    The key difference: users hold long-term credentials, roles grant temporary access. Roles are the AWS-recommended pattern for service-to-service access.
Was this step helpful?

All Steps (0 / 9 completed)