IAM roles vs users vs policies — how do you apply least privilege in the cloud?
Short answer
A user is a long-lived identity with permanent credentials; a role is an identity with no permanent credentials that any trusted principal can assume to get short-lived tokens; a policy is the JSON document that grants permissions, attached to either. Least privilege means preferring roles over users, scoping policies to specific actions and resources, and granting only what a task needs — then reviewing and pruning over time.
This question separates people who use the cloud from people who secure it. The three concepts are distinct, and conflating them leads directly to over-permissioned environments.
The three building blocks
- User. A long-lived identity, usually for a human, with permanent credentials (password, access keys). Permanent keys are a liability — they leak in repos and CI logs.
- Role. An identity with no permanent credentials. A trusted principal (an EC2 instance, a Lambda, another account, a federated user) assumes the role via STS and receives short-lived, auto-rotating tokens. This is the preferred pattern for workloads and cross-account access because there are no static secrets to steal.
- Policy. The JSON document that actually grants or denies permissions —
Effect,Action,Resource, and optionalCondition. Policies attach to users, roles, or groups. A role or user with no policy can do nothing.
Applying least privilege
Least privilege means each identity holds only the permissions a specific job requires, and nothing more:
- Prefer roles over users for anything non-human, so there are no static keys.
- Scope actions and resources. Replace
s3:*on*with the specific actions on specific ARNs. AddConditionclauses (source IP, MFA, tags) where they fit. - Watch escalation paths. Permissions like
iam:PassRole,iam:CreatePolicyVersion, or attaching admin policies let a low-privilege identity become admin — least privilege must cover IAM actions themselves. - Review and prune. Use access analyzers and last-used data to remove unused permissions over time.
What interviewers look for
Crisp definitions, a clear bias toward roles and short-lived credentials, and awareness that IAM permissions can themselves be an escalation vector.
Likely follow-ups
- When would you use a role instead of an IAM user for an application?
- How do you scope a policy down from a wildcard to least privilege in practice?
- What is privilege escalation via IAM, e.g. an iam:PassRole or policy-editing permission?