# Role-Based Access Control (RBAC)

AWS Role-Based Access Control (RBAC) and Temporary Credentials are key components of designing secure, scalable, and manageable access control for AWS resources. They focus on secure access design, least privilege principles, and temporary access best practices.

## **Role-Based Access Control (RBAC) in AWS**

Role-Based Access Control (RBAC) assigns permissions based on roles rather than individual users. This ensures that users, applications, and AWS services have only the access they need for their job functions.

### **RBAC in AWS is implemented using**

* **IAM Roles** → Used to define permissions that can be assumed by users, AWS services, or external accounts. IAM Roles are fundamental to RBAC in AWS because they allow temporary access with appropriate permissions.
* **IAM Policies** → Define what actions are allowed or denied. IAM Policies can be attached to IAM Roles, IAM Users, or IAM Groups (though AWS best practices recommend using IAM Roles or IAM Identity Center Groups instead of IAM Users).

***

### **RBAC Use Case: Assigning Roles to SecureCart Teams**

SecureCart follows Role-Based Access Control (RBAC) by assigning specific IAM Roles to different user groups.

**RBAC Implementation for SecureCart Teams**

<table data-header-hidden><thead><tr><th></th><th width="189"></th><th></th><th></th></tr></thead><tbody><tr><td><strong>Team</strong></td><td><strong>IAM Role</strong></td><td><strong>Permissions</strong></td><td><strong>AWS Access Method</strong></td></tr><tr><td><strong>Developers</strong></td><td><code>DevRole</code></td><td>Read/write to dev resources, No production access</td><td>IAM Identity Center (AWS SSO)</td></tr><tr><td><strong>Operations</strong></td><td><code>psRole</code></td><td>Manage EC2, RDS, and monitoring tools</td><td>IAM Identity Center (AWS SSO)</td></tr><tr><td><strong>Support Team</strong></td><td><code>SecureCart-SupportRole</code></td><td>Read-only access to logs and dashboards</td><td>IAM Identity Center (AWS SSO)</td></tr><tr><td><strong>Third-Party Auditors</strong></td><td><code>SecureCart-AuditRole</code></td><td>Temporary access to logs &#x26; security reports</td><td>AWS STS AssumeRole</td></tr><tr><td><strong>EC2 Instances</strong></td><td><code>SecureCart-EC2Role</code></td><td>Read/Write S3, Access Secrets Manager</td><td>IAM Role with temporary credentials</td></tr><tr><td><strong>Lambda Functions</strong></td><td><code>SecureCart-LambdaRole</code></td><td>Invoke APIs, Write logs to CloudWatch</td><td>IAM Role with temporary credentials</td></tr></tbody></table>

### **Impact**

* Users assume IAM Roles dynamically based on their job functions.
* No need for static IAM credentials, reducing security risks.

***

## **SecureCart Use Case: Role-Based Access Control (RBAC) and Temporary Credentials**

### **Business Context**

SecureCart is an **e-commerce platform** that requires **secure access control** to AWS resources for developers, operations teams, and applications. Instead of using IAM Users with long-term credentials, SecureCart **implements Role-Based Access Control (RBAC) using IAM Roles and temporary credentials.**

***

### **Security Challenges for SecureCart**

🔹 **Ensure least privilege access** for different teams and services.\
🔹 **Avoid hardcoded credentials** in applications.\
🔹 **Prevent unauthorized access to production environments.**\
🔹 **Implement temporary access for automation and external integrations.**

***

## **How SecureCart Uses RBAC & Temporary Credentials**

SecureCart assigns **roles based on job functions** and grants **temporary credentials** using AWS Security Token Service (STS) and IAM Identity Center (AWS SSO).

<table data-header-hidden><thead><tr><th></th><th width="514"></th><th></th></tr></thead><tbody><tr><td><strong>Requirement</strong></td><td><strong>Solution</strong></td><td><strong>SecureCart Implementation</strong></td></tr><tr><td><strong>Grant access based on job functions</strong></td><td>IAM Roles</td><td>Developers, Ops, and Support Teams assume specific IAM Roles.</td></tr><tr><td><strong>Prevent credential leakage in applications</strong></td><td>IAM Roles + Temporary Credentials</td><td>SecureCart's EC2 instances and Lambda functions use IAM Roles instead of static credentials.</td></tr><tr><td><strong>Limit developer access to production resources</strong></td><td>IAM Identity Center + RBAC</td><td>Developers assume roles only in <strong>development and staging environments</strong>.</td></tr><tr><td><strong>Grant external partners temporary access</strong></td><td>AWS STS AssumeRole</td><td>SecureCart grants third-party vendors short-lived credentials using STS.</td></tr><tr><td><strong>Control access across multiple AWS accounts</strong></td><td>IAM Identity Center (AWS SSO)</td><td>SecureCart teams access AWS accounts using <strong>IAM Identity Center Groups and Permission Sets.</strong></td></tr></tbody></table>

**Impact**

* **Users assume IAM Roles dynamically based on their job functions.**
* **No need for static IAM credentials, reducing security risks.**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/copy-of-task-statement-1.1-design-secure-access-to-aws-resources/role-based-access-control-rbac.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.