0PricingLogin
AWS Security Academy · Lesson

Trust Policies and Who Can Assume

Define which principals are allowed to take on a role.

The Gatekeeper Policy

A trust policy is the document attached to a role that defines exactly which principals are permitted to assume it. It is the gatekeeper: even if a permission policy grants powerful access, no one can use the role unless the trust policy names them. On the exam, trust-policy mistakes are a frequent cause of both broken access and dangerous over-permissioning.

Principal Types

The Principal element of a trust policy can reference:

  • AWS — an account, user, or role ARN (Amazon Resource Name).
  • Service — an AWS service such as lambda.amazonaws.com.
  • Federated — a SAML provider or web identity provider.

Choosing the right principal type and being specific is essential to avoid granting more trust than intended.

All lessons in this course

  1. Comparing IAM Users and Groups
  2. What an IAM Role Really Is
  3. Trust Policies and Who Can Assume
  4. Instance Profiles for EC2 Workloads
← Back to AWS Security Academy