midDevOps
Explain AWS IAM Roles vs Policies.
Updated Apr 28, 2026
Short answer
A Policy defines permissions (allow/deny rules). A Role is an identity that can assume those policies, not tied to a specific user.
Deep explanation
Policies are JSON documents outlining exact API access (e.g., Allow s3:GetObject). A Role is an entity that applications or services can temporarily assume to gain those permissions. Roles don't use long-term static credentials (passwords/access keys), making them highly secure.
Real-world example
Assigning an IAM Role to an EC2 instance so the application running inside it can securely read S3 buckets without hardcoding AWS access keys.
Common mistakes
- Attaching wide-open policies (like `AdministratorAccess`) to roles used by standard applications.
Follow-up questions
- What is a Trust Relationship in an IAM Role?