Create and Assume Roles in AWS

1 hour
  • 2 Learning Objectives

About this Hands-on Lab

AWS Identity and Access Management (IAM) is a service that allows AWS customers to manage user access and permissions for the accounts and available APIs/services within AWS. IAM can manage users, security credentials (such as API access keys), and allow users to access AWS resources.

In this lab, we discover how security policies affect IAM users and groups, and we go further by implementing our own policies while also learning what a role is, how to create a role, and how to assume a role as a different user. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it. Also, a role does not have standard long-term credentials such as a password or access keys associated with it. Instead, when you assume a role, it provides you with temporary security credentials for your role session.

By the end of this lab, you will understand IAM policies and roles, and how assuming roles can assist in restricting users to specific AWS resources.

AWS Documentation: [IAM roles](

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create the Correct S3 Restricted Policies and Roles

Perform the following tasks:

  1. Create the S3RestrictedPolicy IAM policy. Ensure only the appconfig buckets are accessible.
    • Select the S3 service and all S3 actions
    • Select all resources except bucket
    • Add the appconfig bucket names to the policy
  2. Create the S3RestrictedRole IAM role.
    • Set the trusted entity to another AWS account
    • Add your account ID
    • For permissions, select the S3RestrictedPolicy
  3. Revoke the AmazonS3FullAccess access policy from the developergroup.
  4. Attach the S3RestrictedPolicy to the dev1 user.
Configure IAM So the dev3 User Can Assume the Role

Perform the following tasks:

  1. Create the AssumeS3Policy IAM policy.
    • Select the STS service
    • Select AssumeRole under the write options
    • Add the S3RestrictedRole
  2. Attach the AssumeS3Policy to the dev3 user.
  3. Assume the S3RestrictedRole as the dev3 user.
    • Log in as the dev3 user
    • Switch roles to the S3RestrictedRole
    • Verify access in S3

Additional Resources

Ensure you are operating out of the N. Virginia (us-east-1) region.

NOTE: The lab shows the attaching policies to AWS users; in the real world, we would want to administer from the group level whenever possible. AWS now auto logs out when logging in as another user (even if in a new Incognito/Private Window). As a work around, you can right-click the lab's blue "Open Link in Incognito/Private Window` button and copy the link into a different browser. You'll then be able to be logged into the other account using the lab provided credentials. The lab is easiest to do with 3 different browsers due to the new AWS logout behavior.

  • dev1 password: 3Kk6!AY36^5h1rolJYb@C
  • dev2 password: 3Kk6!AY36^5h1rolJYb@C
  • dev3 password: 3Kk6!AY36^5h1rolJYb@C

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?