Permissions let you specify and control access to AWS services and resources. To grant permissions to IAM roles, you can attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed.
Using IAM policies, you grant access to specific AWS service APIs and resources. You also can define specific conditions in which access is granted, such as granting access to identities from a specific AWS organization or access through a specific AWS service.
With IAM roles you delegate access to users or AWS services to operate within your AWS account. Users from your identity provider or AWS services can assume a role to obtain temporary security credentials that can be used to make an AWS request in the account of the IAM role. Consequently, IAM roles provide a way to rely on short-term credentials for users, workloads, and AWS services that need to perform actions in your AWS accounts.
Use IAM Roles Anywhere to allow workloads that run outside of AWS, such as on-premises, hybrid, and multicloud environments, to access AWS resources by using X.509 digital certificates issued by your registered certificate authorities. With IAM Roles Anywhere, you can obtain temporary AWS credentials and use the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.
Achieving least privilege is a continuous cycle to grant the right fine-grained permissions as your requirements evolve. IAM Access Analyzer helps you streamline permissions management as you set, verify, and refine permissions.
With AWS Organizations, you can use service control policies (SCPs) and resource control policies (RCPs) to establish permissions guardrails that all principals and resources in an organization’s accounts adhere to. You can use SCPs to centrally control access for principals (IAM roles and users) across your accounts. You can use RCPs to centrally control access for AWS resources across your organization. You can choose to enable only SCPs or RCPs, or use both policy types together to help achieve your security objectives.
Attribute-based access control (ABAC) is an authorization strategy you can use to create fine-grained permissions based on user attributes, such as department, job role, and team name. Using ABAC, you can reduce the number of distinct permissions that you need for creating fine-grained controls in your AWS account.