Selain IAM asas, memahami peranan (roles) (identiti yang diambil), jenis dasar dan penilaian (cara kebenaran ditentukan), dan corak seperti akses merentas akaun dan peranan perkhidmatan adalah penting untuk pengurusan akses AWS yang selamat dan direka dengan baik.
Peranan secara mendalam — siapa mengambil apa
A ROLE has TWO key policies:
TRUST POLICY → WHO can assume the role (which principals: a service, account, user)
PERMISSION POLICIES → WHAT the role can do once assumed
Use cases:
→ SERVICE roles — an EC2/Lambda assumes a role to access AWS (no embedded keys)
→ CROSS-ACCOUNT — account B's role trusts account A → A's users assume it (controlled access)
→ FEDERATION/SSO — external identities assume roles (temporary credentials)
→ Roles give TEMPORARY credentials (auto-rotated) — far safer than long-lived keys.
