☁️
AWS Solutions Architect Associate SAA-C03 Study Notes/
🔶
AWS Identity and Access Management (IAM)/
🔷
IAM Roles vs Resource-Based Policies
🔷

IAM Roles vs Resource-Based Policies

Cross-Account Access Methods

  1. Resource-Based Policy
      • Attached directly to the resource (e.g., S3 bucket, SQS queue).
      • Grants access to specified AWS principals (users, roles, accounts).
      • The caller keeps its original identity and permissions.
      • Example: An S3 bucket in Account B allows a user from Account A to PutObject via its bucket policy.
  1. IAM Role (AssumeRole)
      • Created in the target account and trusted by another account.
      • External users assume the role, temporarily replacing their original permissions with the role’s permissions.
      • Example: A user from Account A assumes a role in Account B that grants S3 access.

Key Differences

Aspect
Resource-Based Policy
IAM Role
Where defined
On the resource itself
As an IAM role in the target account
Identity after access
Caller keeps its identity
Caller uses the role’s identity
Permissions used
Union of caller’s permissions + resource policy
Role’s permissions only
Typical usage
Simple cross-account access to a resource
Delegated access requiring different permissions or multiple resources

Example Use Case

If a user in Account A needs to scan a DynamoDB table in Account A and store results in an S3 bucket in Account B:
  • Keep DynamoDB access via IAM in Account A.
  • Allow S3 write via a bucket policy in Account B (resource-based).

AWS Services Supporting Resource-Based Policies

  • S3 buckets
  • SNS topics
  • SQS queues
  • Lambda functions
  • API Gateway
  • EventBridge event buses

Amazon EventBridge – Security Models

When EventBridge triggers a target, it needs permission to interact with it.
  1. Resource-Based Policy
      • Directly on the target resource.
      • Target trusts EventBridge to perform the action.
      • Common for:
        • Lambda (lambda:InvokeFunction)
        • SNS (sns:Publish)
        • SQS (sqs:SendMessage)
        • S3 (s3:PutObject)
        • API Gateway (execute-api:Invoke)
  1. IAM Role (AssumeRole)
      • EventBridge assumes the role before calling the target.
      • Role grants necessary permissions for the action.
      • Required for:
        • EC2 Auto Scaling
        • Systems Manager Run Command
        • ECS task execution
Rule of thumb:
  • If the service supports a resource-based policy, you can grant EventBridge permissions directly on the resource.
  • If it doesn’t, EventBridge needs an IAM role to act on the target.