What is IAM Trust Policy?
A trust policy is the resource-based policy attached to an IAM role that defines which principals are allowed to assume it.
Every IAM role has two policies that do different jobs. The permissions policy says what the role can do once assumed. The trust policy says who is allowed to assume it in the first place. The trust policy lives in the role’s AssumeRolePolicyDocument and is evaluated when someone calls sts:AssumeRole against the role.
The Principal element names the trusted identity: an AWS account, an IAM user or role, or an AWS service (for example ec2.amazonaws.com). Conditions can narrow the trust further, such as requiring an ExternalId for cross-account access or an aws:SourceArn for a service principal.
Example
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:root" },
"Action": "sts:AssumeRole",
"Condition": { "StringEquals": { "sts:ExternalId": "unique-id" } }
}
]
}Common mistake
A trust policy with Principal set to "*" or a whole account without conditions lets far more identities assume the role than intended — the root cause of many confused-deputy and cross-account escalation issues.
Related terms
Analyze a real policy free
Shieldly's AI-Powered analyzer explains why an IAM policy is risky and returns the fix in seconds. No signup, no AWS credentials. Also ships as CLI, VS Code extension, GitHub Action, and CDK Guard.
Amazon Web Services (AWS) is a trademark of Amazon.com, Inc. Shieldly is not affiliated with, endorsed by, or sponsored by Amazon Web Services.