AWS IAM roles define two types of policies
- Permissions Policy – Defines what permissions the role is granted
- Trust Policies – Who can assume the role
AWS IAM roles are ALWAYS assumed (you cannot log into an AWS role).
When a role is assumed you can specify how long you want the role to be assume for up to 12 hours – usually a lot less.
AWS IAM roles like all of IAM is global – unless something is the trust or permissions policy restricts to a region.