AWS IAM Roles: What is a trusted entity exactly?

  1. A trusted entity is which service can assume any given role. If you make EC2 the trusted entity you can't assume the role to use the permissions, lambda can't assume the role, only an EC2 instance. Most services in AWS are given permissions by assuming roles. Many services can configure this automagically for you, which is common when people are learning AWS. When you're working in secure environments setting up roles and permissions becomes fairly critical. For example, if you give EC2 a role with admin permissions and someone compromises the instance, they effectively have admin rights into your AWS account, which is why you give all resources / roles least permissions.
  2. When you configure a resource like an EC2 instance or Lambda function (etc) you tell it what role to assume. That EC2 instance / function / etc then has the permissions associated with the role.
  3. This just means that an EC2 instance is allowed to assume that role. When an EC2 instance starts it identifies the role it wants to assume. IAM validates the role is allowed to assume that role and the instance is allowed to start.
  4. There's a list of AWS service principals here. When you hit "create role" in the console you get a list in trusted entities. When I need one to put into my CloudFormation I just click that then copy and paste it from the json.

The AssumeRolePolicyDocument specifies who can assume the role. I suspect you can specify multiple entities can assume a role, but in practice I write a role for each service.

You can think of IAM roles similar to roles people have. My role as "architect for company XYZ" give me permissions to enter the office, log into the system, that kind of thing. If I assume a role as say a policeman I have additional rights, such as going into a police station, arresting people, etc.