Under IAM section we created a role and attached an STS service Assume Role policy for another user dev3..why is that we did not have to attach one to ec2 instance here.. ?
This is my understanding of the concept; it might be clarified or corrected by someone with more experience
You do actually! The AWS console however does a great job taking care of that for you. The very first step to create a role is to select a trusted entity. Here we selected EC2. This is actually creating an STS AssumeRole policy for EC2 within our account.
From my understanding, when it comes to AWS resources, you don’t provide such granular access to Roles as to give one particular EC2 instance access to a role. Either this service in your account has access to do "x", or it doesnt.
Users on the other hand are a different story. It would be counter productive to provide everyone access to every role all the time. Instead, you do have this granular level of assigning individual users access to assume an individual role.
Great question though! That made me think and continues to do so….