Basics of Role Assumption
Assuming a Role in AWS
The AWS IAM service is used to set access rights for all AWS users. To support the principle of least privilege, users should have the minimum necessary access needed to execute their responsibilities. AWS IAM also supports role assumption, which allows users with the appropriate permissions to assume an identity and execute actions based on that assumed role for a specific time period.
To learn more about this feature of AWS IAM, visit the AWS documentation on assuming a role.
The idea of least privilege spans across many industries and many best practices. Within AWS, Identity and Access Management is used to define access rights for each user. To implement least privilege, all users should have the minimum necessary access to execute their assigned job responsibilities. As such, AWS has the ability to grant role assumption. Role assumption allows users to assume an identity and to execute actions based on this assumed role. Users cannot execute those actions without assuming the role for those administrative responsibilities. AWS allows you, through the Identity and Access Management Dashboard, to enable role assumption which will only grant the required privileges to the user after they have assumed role for a time-based period.