> For the complete documentation index, see [llms.txt](https://docs.forestall.io/fsprotect/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.forestall.io/fsprotect/aws-identities/roles.md).

# Roles

**Roles**

The Roles page provides a list of enumerated IAM roles in the entire AWS environment. The list contains the Privileged, Tier 0, Service Linked, Inactive, Risk Score, Exposure Point and Issue Counts.

<figure><img src="/files/ec4NRX0QqPTo3C3nD5XF" alt=""><figcaption><p>Roles</p></figcaption></figure>

***

**Role Details**

Details page contains the Risk Score of the role, Exposure Point, Information and Issues panes.

You can analyze objects in the Graph module by clicking the Visualize button on the upper left side of the Information Pane.

<figure><img src="/files/fjyNdhYG6o9U7Ur1Er45" alt=""><figcaption><p>Role Details</p></figcaption></figure>

***

**Information**

Information Pane can contain different badges to highlight important attributes.

| Badge          | Description                                                                           |
| -------------- | ------------------------------------------------------------------------------------- |
| Privileged     | Indicates that the object is Privileged.                                              |
| Tier           | Indicates that the object tier according to risk score and importance.                |
| Inactive       | Indicates that the role has not been used for a defined period.                       |
| Service Linked | Indicates that the role is an AWS service-linked role managed by an AWS service.      |
| Shadow Admin   | Indicates that the object can compromise admin objects with at least one attack path. |

Information Pane contains Details and Policies tabs.

***

**Details**

Details tab contains attributes below about the IAM role object.

| Attribute            | Description                                                                            |
| -------------------- | -------------------------------------------------------------------------------------- |
| Role Name            | The name of the IAM role, used for identification within AWS.                          |
| Role ID              | The unique identifier assigned to the IAM role by AWS.                                 |
| ARN                  | The Amazon Resource Name that uniquely identifies the IAM role across AWS.             |
| Account ID           | The AWS account ID that the IAM role belongs to.                                       |
| Description          | A user-defined text field describing the role's purpose or intended use.               |
| Path                 | The path associated with the IAM role, used for organizational grouping.               |
| Created              | The date and time when the IAM role was created.                                       |
| Last Used            | The most recent date and time the role was assumed; blank if never used.               |
| Max Session Duration | The maximum duration in seconds for a session when assuming the role.                  |
| Permissions Boundary | The managed policy used to set the maximum permissions for the role; blank if not set. |
| Source Tenant        | The name of the tenant or configuration source from which the role was scanned.        |
| Object ID            | The unique identifier of the role object, equivalent to the IAM Role ID.               |

***

**Policies**

Policies tab contains a list of IAM policies attached to the role, including both managed and inline policies. This list also contains columns such as AWS Managed and Grants Admin Privileges to identify the scope and risk level of each policy.

<figure><img src="/files/XDLIWlkpB89vUlvByeAx" alt=""><figcaption><p>Policies</p></figcaption></figure>

***

**Issues**

Issues pane contains identified security issues on the IAM role object.

<figure><img src="/files/4Pxbj3O2k8Vs3VvlbdfX" alt=""><figcaption><p>Issues</p></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.forestall.io/fsprotect/aws-identities/roles.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.