Beginner’s Guide to IAM: IAM, Roles, Policies, Policy Attachments with Terraform

IAM is short for Identity and Access Management.

  1. What’s the difference between an IAM user and role?

An IAM user has long term credentials and directly interacts with AWS services. An IAM role does not have any credentials and don’t directly access AWS services. IAM roles are assumed by entities (such as users, applications or services like EC2).

2. What’s an IAM Policy?

An IAM Policy allows access  -i.e. they define permissions. You create a policy then attach it to an IAM identity or AWS resource.

3. what’s an IAM Role Policy Attachment?

This can be found in Terraform. e.g.

It attaches an IAM Policy to an IAM role and typically looks like this:

resource “aws_iam_role_policy_attachment” “test-attach” {
role = “${}”
policy_arn = “${aws_iam_policy.policy.arn}”

4. Principal

The Principalelement specifies the AWS user, account, service that is allowed or denied access to a resource.

5. assume_role_policyis very similar but slightly different than a standard IAM policy

6. Service Roles are IAM roles that can be assumed by an AWS service


Note how there are 2 Services listed. The Service key must be unique. So it’s value must be a list.

and a list of Services that work with IAM:


Using Terraform to set up AWS Route 53 Hosted Zones

  1. What’s an AWS Route 53 Hosted Zone?

A Hosted Zone is basically a domain. i.e. a single zone file with all domain information.

See also



Monitoring your AWS Service Limits

It’s all too easy to go past your AWS Service Limits if you’re dealing with big accounts.

E.g. the default for m4.largeper Region is 20. We’re currently running 65 in our smallest Region.


Attempt 1: using AWS’ solution

This unfortunately uses Cloudformation. Moving on…

Attempt 2: using awslimitchecker

See comes to the rescue. You can write your AWS Lambda scripts with it and you’d be good to go.

E.g. List Limits for a Region

awslimitchecker -r eu-west-2 -S EC2 -l

Note that these are defined manually in ./limitchecker/lib/python2.7/site-packages/awslimitchecker/services/

and are from

However, if you have an account that’s already in use these limits may differ. And may also differ per Region.

As I said, it doesn’t query TrustedAdvisor dynamically. Moving on…

Attempt 3: getting the Service Limit data by CLI

Generic TA Check ID:

aws support describe-trusted-advisor-check-result --check-id eW7HH0l7J9 --region us-east-1

and the EC2 On-Demand Check ID:

aws support describe-trusted-advisor-check-result –language en –check-id 0Xc6LMYG8P –query ‘result.sort_by(flaggedResources[?status!=ok],&metadata[2])[].metadata’ –output table

For Check IDs per Service see:


Note that this only seems to work for us-east-1 so you’ll need to make sure this is your default profile (or specify a profile that uses it).

E.g. for other endpoints I got:

Could not connect to the endpoint URL: “”


Could not connect to the endpoint URL: “”

This seems to imply there are no Support endpoints other than us-east-1.

UPDATE: I was right:

AWS Support has a single endpoint: (HTTPS).


More info:


Note 2: if you don’t have Business or Enterprise support this CLI won’t work and you’ll get something like usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters].

You can use some Python like this for running EC2 instances:

so let’s just adapt it to:



Terraform: security_groups vs vpc_security_group_ids

Basically, just use vpc_security_group_ids.

  • security_groups – (Optional, EC2-Classic and default VPC only) A list of security group names to associate with.