How to create and configure AWS IAM roles

AWS Identity and access management is a service provided by Amazon that allows us to manage access to the resources in our AWS account. Through this service, we can define the actions that can be performed on our resources and who can perform them. IAM identities are the resources that are given access to AWS resources through IAM. These identities include roles, users, and groups.

IAM roles are used to define the actions an AWS resource can perform on other AWS resources. For example, an IAM role can be used to allow an EC2 instance to access the objects inside an S3 bucket. In an IAM role, temporary credentials are created that grant it permission to access AWS resources.

IAM Policy

IAM policies are JSON documents that specify the actions allowed or denied for an IAM role or user. AWS provides us with a set of managed policies, however, we can create custom policies in case we need them. A simple IAM policy that gives us permission to create an S3 bucket is shown below:

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor8",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::clab-bucket-*/*",
"Condition": {
"StringEquals": {
"aws:RequestedRegion": "us-east-1"
}
}
}
]
}

In the policy given above:

  • Line 6: We define the type of policy. Accepted inputs are Allow or Deny.

  • Lines 7–10: We define the actions that a user will have permission to perform using this policy

  • Line 11: We specify the resource that can be whose access we want to provide.

  • Lines 13–17: We specify a condition allowing only the region's resources us-east-1 to use this policy.

Test your knowledge

1

What is the purpose of an IAM role?

A)

To define the amount of storage an AWS resource can use

B)

To define the actions an AWS resource can perform on other AWS resources

C)

To monitor network traffic within AWS

D)

To manage billing information in AWS

Question 1 of 40 attempted

Configure an IAM role

Now that we know the basics of IAM roles and policies let’s follow the steps given below to create a simple role that will provide basic execution permissions to a Lambda function:

  • Log into your AWS console.

  • Search for “IAM” in the search bar and select the “IAM” service.

  • From the sidebar, select the “Roles” button given under the “Access management” section.

  • Click the “Create role” option to create a new role.

  • Ensure that “AWS service” is selected in the “Trusted entity type” section.

  • Select “Lambda” under the “Use case” section to create a role for Lambda.

  • Click the “Next” button.

  • Search and select the “AWSLambdaExecute” policy.

  • Click the “Next” button.

  • Set the role name to LambdaFunctionRole.

  • Click the “Create role” button.

The following slides demonstrate how these steps can be performed:

1 of 5

Congratulations! You have created a role that can now be attached to an AWS Lambda Function.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved