Secure AWS Access with IAM Roles Instead of Using Root User

What this guide covers

After reading this guide, you will understand why you should avoid using the AWS root user for daily tasks and how to create and assume IAM roles with a trust policy to manage permissions securely.

When to use it

• You need to delegate specific AWS permissions to team members or services without sharing root credentials.
• You’re troubleshooting permission issues without risking full account access.
• You want to automate AWS tasks with least privilege using assumed roles.
• You need to reduce blast radius if credentials get compromised in development or production.

The move, step by step

1. Stop using root for daily tasks. The root user has unrestricted access; avoid logging in with root unless absolutely necessary (e.g., billing).

2. Create an IAM role with a trust policy. This policy defines who can assume the role. An example allows a specific IAM user to assume it:

   {
     "Version": "2012-10-17",
     "Statement": [
       {
         "Effect": "Allow",
         "Principal": { "AWS": "arn:aws:iam::123456789012:user/ExampleUser" },
         "Action": "sts:AssumeRole"
       }
     ]
   }

3. Attach permission policies to the role. Define exactly what this role can do (e.g., AmazonS3ReadOnlyAccess). This isolates permissions from root and users.

4. Allow the trusted user or service to assume the role. The user must have sts:AssumeRole permission for this role.

5. Assume the role using AWS CLI or SDK. For CLI:

   aws sts assume-role --role-arn arn:aws:iam::123456789012:role/YourRoleName --role-session-name ExampleSession

   This returns temporary credentials to use with restricted permissions.

6. Use the temporary credentials instead of root keys. Export them as environment variables or configure your SDK to use them.

7. Regularly review role policies and trust relationships. Remove unused roles and enforce least privilege.

Example

Input: You want to let ExampleUser assume a role with read-only S3 access.

• Create role “ReadOnlyS3Role” with this trust policy:

  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": { "AWS": "arn:aws:iam::123456789012:user/ExampleUser" },
        "Action": "sts:AssumeRole"
      }
    ]
  }

• Attach the AWS managed policy AmazonS3ReadOnlyAccess to the role.

• As ExampleUser, run:

  aws sts assume-role --role-arn arn:aws:iam::123456789012:role/ReadOnlyS3Role --role-session-name Session1

Expected output (partial):

{
  "Credentials": {
    "AccessKeyId": "ASIA...",
    "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
    "SessionToken": "IQoJb3JpZ2luX2VjEKAaCXVzLWVhc3QtMSJ...",
    "Expiration": "2024-06-01T12:34:56Z"
  }
}

Use these credentials for restricted AWS access instead of root credentials.

Common mistakes

• Mistake: Logging in daily with root user → Fix: Create and use IAM roles with least privilege instead.
• Mistake: Trust policy with "Principal": "*" → Fix: Specify trusted IAM users or services explicitly.
• Mistake: Giving broad permissions to roles → Fix: Attach only necessary managed or custom policies to the role.
• Mistake: Not rotating or disabling unused credentials → Fix: Regularly review and revoke unused access.
• Mistake: Not using temporary credentials from sts:AssumeRole → Fix: Always use assumed role credentials for actions.

Next step

Create an IAM role in your AWS account with a trust policy allowing your own IAM user to assume it. Attach a restrictive permission policy to the role. Then, practice assuming that role via the AWS CLI and using the temporary credentials.

Then come back and try the next move from the video.